PAM and Device Ownership
Red Hat Linux allows the first privileged user to log in on the physical console
of the machine the ability to manipulate devices and perform tasks
normally reserved for root. This is done through a PAM module called
pam_console.so.
Device Ownership
When a user logs into a machine under Red Hat Linux, the
pam_console.so module is called by
login or the graphical login programs,
gdm and kdm. If
this user is the first user to log in at the physical console —
called the console user — the module
grants ownership of a variety of devices normally owned by root. The
console user owns these devices until the last local session for that
user ends. Once the user has logged out, ownership of the devices
reverts back to their default values.
The devices affected include, but are not limited to, sound cards,
floppy drives, and CD-ROM drives.
This allows a local user to manipulate these devices without attaining
root, thus simplifying common tasks for the console user.
In the file /etc/security/console.perms, you can
edit the list of devices controlled by
pam_console.so.
Application Access
The console user is also allowed access to any program with a file
bearing the command name in the
/etc/security/console.apps/ directory. These
files do not need to contain any data, but must have the exact name of
the command to which they correspond.
One notable group of applications the console user has access to are
three programs which shut off or reboot the system. These are:
/sbin/halt
/sbin/reboot
/sbin/poweroff
Because these are PAM-aware applications, they call the
pam_console.so as a requirement for use.
For more information see the man pages for
pam_console,
console.perms, and
console.apps.
