Website HostingDomain RegistrationsWebsite ScriptsWebsite TemplatesWeb Hosting AffiliateWebsite ConsultingContact Us
Website Hosting
Red Hat Documentation

Red Hat

- Documentation -
Red Hat Enterprise Linux 3: Reference Guide
PrevChapter 15. Pluggable Authentication Modules (PAM)Next

15.7. PAM and Device Ownership

Red Hat Enterprise Linux allows the first user to log in on the physical console of the machine the ability to manipulate some devices and perform some tasks normally reserved for the root user. This is controlled by a PAM module called pam_console.so.

15.7.1. Device Ownership

When a user logs into a Red Hat Enterprise Linux system, the pam_console.so module is called by login or the graphical login programs, gdm and kdm. If this user is the first user to log in at the physical console — called the console user — the module grants the user ownership of a variety of devices normally owned by root. The console user owns these devices until the last local session for that user ends. Once the user has logged out, ownership of the devices reverts back to the root user.

The devices affected include, but are not limited to, sound cards, diskette drives, and CD-ROM drives.

This allows a local user to manipulate these devices without attaining root access, thus simplifying common tasks for the console user.

By modifying the file /etc/security/console.perms, the administrator can edit the list of devices controlled by pam_console.so.

WarningWarning
 

If the gdm, kdm, or xdm display manager configuration file has been altered to allow remote users to log in and the host is configured to run at runlevel 5, it is advisable to change the <console> and <xconsole> directives within the /etc/security/console.perms to the following values: 

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
<xconsole>=:0\.[0-9] :0

Doing this will prevent remote users from gaining access to devices and restricted applications on the machine.

If the gdm, kdm, or xdm display manager configuration file has been altered to allow remote users to log in and the host is configured to run at any multiple user runlevel other than 5, it is advisable to remove the <xconsole> directive entirely and change the <console> directive to the following value: 

<console>=tty[0-9][0-9]* vc/[0-9][0-9]*

15.7.2. Application Access

The console user is also allowed access to certain programs with a file bearing the command name in the /etc/security/console.apps/ directory.

One notable group of applications the console user has access to are three programs which shut off or reboot the system. These are:

  • /sbin/halt

  • /sbin/reboot

  • /sbin/poweroff

Because these are PAM-aware applications, they call the pam_console.so module as a requirement for use.

For more information, refer to the Section 15.8.1 Installed Documentation.

PrevHomeNext
PAM and Administrative Credential CachingUpAdditional Resources


Go back to index



Have unlimited websites hosted for only $5.95 a month! Check out our new Hosting Plans!


Note: Documentation is made available for our clients. The application's homepage is located at RedHat.com





All pages Copyright © 2002-2008 by Flux Services, Inc. All rights reserved.
All trademarks used are properties of their respective owners.
Refund Policy  Privacy Statement  Service Agreement


Google   Yahoo   MSN   AOL   Altavista   Lycos   Ask Jeeves
Site Hosting  Resource Directory  Website Traffic