When normal (non-root) users log in to a computer locally, they are
given two types of special permissions:
They can run certain programs that they would not otherwise be able
to run
They can access certain files (normally special device files used to
access diskettes, CD-ROMs, and so on) that they would not otherwise
be able to access
Since there are multiple consoles on a single computer and multiple
users can be logged into the computer locally at the same time, one of
the users has to "win" the race to access the files. The first user to
log in at the console owns those files. Once the first user logs out,
the next user who logs in will own the files.
In contrast, every user who logs in at the console
will be allowed to run programs that accomplish tasks normally restricted to the root user.
If X is running, these actions can be included as menu items in a
graphical user interface. As shipped, the console-accessible programs
include halt, poweroff and
reboot.
By default, /etc/inittab specifies that your system is set to
shutdown and reboot the system in response to a [Ctrl]-[Alt]-[Del] key combination used at the console. If you'd like to
completely disable this ability, you will need to comment out the
following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now |
Alternatively, you may just want to allow certain non-root users the
right to shutdown the system from the console using [Ctrl]-[Alt]-[Del]. You can restrict this privilege to certain users, by
taking the following steps:
Add a -a option to the
/etc/inittab line shown above, so that it
reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now |
The -a flag tells shutdown to
look for the /etc/shutdown.allow file, which
you'll create in the next step.
Create a file named shutdown.allow in
/etc. The shutdown.allow
file should list the usernames of any users who are allowed to
shutdown the system using [Ctrl]-[Alt]-[Del]. The format of
the /etc/shutdown.allow file is a list of
usernames, one per line, like the following:
According to this example shutdown.allow file,
stephen, jack, and sophie are allowed to shutdown the
system from the console using [Ctrl]-[Alt]-[Del]. When that key combination is used,
the shutdown -a in
/etc/inittab checks to see if any of the users in
/etc/shutdown.allow (or root) are logged in on a
virtual console. If one of them is, the shutdown of the system will
continue; if not, an error message will be written to the system
console instead.
For more information on shutdown.allow see the
shutdown man page.
In order to disable access by users to console programs, you should
run this command as root:
rm -f /etc/security/console.apps/* |
In environments where the console is otherwise secured (BIOS and LILO
passwords are set,
[Ctrl]-[Alt]-[Delete]
is disabled, the power and reset switches are disabled, and so forth), you may
not want to allow any user at the console to run
poweroff, halt, and
reboot, which are accessible from the console by
default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot |
The PAM pam_console.so module manages console file
permissions and authentication. (See Chapter 8 for more
information on configuring PAM.) If you want to disable all console
access, including program and file access, comment out all lines that
refer to pam_console.so in the
/etc/pam.d directory. The following script will
do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done |
The pam_console.so module uses the
/etc/security/console.perms file to determine the
permissions for users at the system console. The syntax of the file is
very flexible; you can edit the file so that these instructions no
longer apply. However, the default file has a line that looks like
this:
<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] |
When users log in, they are attached to some sort of named terminal,
either an X server with a name like :0 or
mymachine.example.com:1.0 or a device like
/dev/ttyS0 or /dev/pts/2.
The default is to define that local virtual consoles and local X
servers are considered local, but if you want to consider the serial
terminal next to you on port /dev/ttyS1 to also
be local, you can change that line to read:
<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1 |
In /etc/security/console.perms, there is a
section with lines like:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
<cdrom>=/dev/cdrom* /dev/cdwriter* |
You can add your own lines to this section, if necessary. Make sure
that any lines you add refer to the appropriate device. For example,
you could add the following line:
(Of course, make sure that /dev/sga is really
your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with
those files. Look in the last section of
/etc/security/console.perms for lines similar to:
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <sound> 0640 root
<console> 0600 <cdrom> 0600 root.disk |
and add a line like:
<console> 0600 <scanner> 0600 root |
Then, when you log in at the console, you will be given ownership of
the /dev/sga device and the permissions will be
0600 (readable and writable by you only). When you log out, the
device will be owned by root and still have 0600 (now: readable and
writable by root only) permissions.
If you wish to make other applications accessible to console users,
you will have to do just a little bit more work.
First of all, console access only works for
applications which reside in /sbin or
/usr/sbin, so the application that you wish to
run must be there. After verifying that, do the following steps:
Create a link from the name of your application, such as our sample
foo program, to the
/usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo |
Create the file
/etc/security/console.apps/foo:
touch /etc/security/console.apps/foo |
Create a PAM configuration file for the foo
service in /etc/pam.d/. An easy way to do this
is to start with a copy of the halt service's PAM configuration file,
and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo |
Now, when you run /usr/bin/foo, it will call
consolehelper, which will authenticate the user
with the help of /usr/sbin/userhelper. To
authenticate the user, consolehelper will ask for
the user's password if
/etc/pam.d/foo is a
copy of /etc/pam.d/halt (otherwise, it will do
precisely what is specified in
/etc/pam.d/foo) and
then run /usr/sbin/foo
with root permissions.
