Professional Documents
Culture Documents
V. System Configuration: Chapter 20. Console Access
V. System Configuration: Chapter 20. Console Access
Prev Next
V. System Configuration
Part of a system administrator's job is configuring the system for various
tasks, types of users, and hardware configurations. This section explains
how to configure a Red Hat Enterprise Linux system.
Table of Contents
20. Console Access
21. Date and Time Configuration
22. Keyboard Configuration
23. Mouse Configuration
24. X Window System Configuration
25. User and Group Configuration
26. Printer Configuration
27. Automated Tasks
28. Log Files
29. Manually Upgrading the Kernel
30. Kernel Modules
31. Mail Transport Agent (MTA) Configuration
Command Line Version Console Access
Red Hat Enterprise Linux 4: System
Administration Guide
Prev Next
Chapter 20. Console Access
When normal (nonroot) users log into a computer locally, they are given
two types of special permissions:
1. They can run certain programs that they would not otherwise be able
to run
2. They can access certain files (normally special device files used to
access diskettes, CDROMs, and so on) that they would not
otherwise be able to access
Since there are multiple consoles on a single computer and multiple users
can be logged into the computer locally at the same time, one of the users
has to essentially win the race to access the files. The first user to log in at
the console owns those files. Once the first user logs out, the next user who
logs in owns the files.
In contrast, every user who logs in at the console is allowed to run
programs that accomplish tasks normally restricted to the root user. If X is
running, these actions can be included as menu items in a graphical user
interface. As shipped, the consoleaccessible programs include halt,
poweroff, and reboot.
20.1. Disabling Shutdown Via [Ctrl][Alt]
[Del]
By default, /etc/inittab specifies that your system is set to shutdown
and reboot in response to a [Ctrl][Alt][Del] key combination used at
the console. To completely disable this ability, comment out the
following line in /etc/inittab by putting a hash mark (#) in front of it:
Alternatively, you may want to allow certain nonroot users the right to
shutdown or reboot the system from the console using [Ctrl][Alt]
[Del]. You can restrict this privilege to certain users, by taking the
following steps:
1. Add the a option to the /etc/inittab line shown above, so
that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
2. The -a flag tells shutdown to look for the /etc/shutdown.allow
file.
3. Create a file named shutdown.allow in /etc. The
shutdown.allow file should list the usernames of any users who
are allowed to shutdown the system using [Ctrl][Alt][Del]. The
format of the shutdown.allow file is a list of usernames, one
per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, the users stephen,
jack, and sophie are allowed to shutdown the system from the console
using [Ctrl][Alt][Del]. When that key combination is used, the
shutdown -a command in /etc/inittab checks to see if any of the
users in /etc/shutdown.allow (or root) are logged in on a virtual
console. If one of them is, the shutdown of the system continues; if
not, an error message is written to the system console instead.
For more information on shutdown.allow, refer to the shutdown man
page.
System Configuration Up Disabling Console
Program Access
Red Hat Enterprise Linux 4: System
Administration Guide
20.2. Disabling Console Program Access
To disable access by users to console programs, run the following
command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and boot
loader passwords are set, [Ctrl][Alt][Delete] is disabled, the power and
reset switches are disabled, and so forth), you may not want to allow any
user at the console to run poweroff, halt, and reboot, which are accessible
from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Console Access Up Defining the Console
Red Hat Enterprise Linux 4: System
Administration Guide
20.3. Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to
determine the permissions for users at the system console. The syntax of
the file is very flexible; you can edit the file so that these instructions no
longer apply. However, the default file has a line that looks like this:
When users log in, they are attached to some sort of named terminal, either
an X server with a name like :0 or mymachine.example.com:1.0, or a device
like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual
consoles and local X servers are considered local, but if you want to
consider the serial terminal next to you on port /dev/ttyS1 to also be local,
you can change that line to read:
Disabling Console Up Making Files
Program Access Accessible From the
Console
Red Hat Enterprise Linux 4: System
Administration Guide
20.4. Making Files Accessible From the
Console
In /etc/security/console.perms, there is a section with lines like:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter*
/mnt/cdrom*
You can add your own lines to this section, if necessary. Make sure that any
lines you add refer to the appropriate device. For example, you could add
the following line:
<scanner>=/dev/scanner /dev/usb/scanner*
(Of course, make sure that /dev/scanner is really your scanner and not,
say, your hard drive.)
That is the first step. The second step is to define what is done with those
files. Look in the last section of /etc/security/console.perms for lines
similar to:
and add a line like:
Then, when you log in at the console, you are given ownership of the
/dev/scanner device with the permissions of 0600 (readable and writable
by you only). When you log out, the device is owned by root and still has
the permissions 0600 (now readable and writable by root only).
Defining the Console Up Enabling Console
Access for Other
Applications
Red Hat Enterprise Linux 4: System
Administration Guide
20.5. Enabling Console Access for Other
Applications
To make other applications accessible to console users, a bit more work is
required.
First of all, console access only works for applications which reside in
/sbin/ or /usr/sbin/, so the application that you wish to run must be there.
After verifying that, do the following steps:
1. Create a link from the name of your application, such as our sample
foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2. Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3. Create a PAM configuration file for the foo service in /etc/pam.d/.
An easy way to do this is to start with a copy of the halt service's
PAM configuration file, and then modify the file if you want to change
the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when /usr/bin/foo is executed, consolehelper is called, which
authenticates the user with the help of /usr/sbin/userhelper. To
authenticate the user, consolehelper asks for the user's password if
/etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely
what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root
permissions.
In the PAM configuration file, an application can be configured to use the
pam_timestamp module to remember (or cache) a successful
authentication attempt. When an application is started and proper
authentication is provided (the root password), a timestamp file is created.
By default, a successful authentication is cached for five minutes. During
this time, any other application that is configured to use pam_timestamp and
run from the same session is automatically authenticated for the user — the
user does not have to enter the root password again.
This module is included in the pam package. To enable this feature, the PAM
configuration file in etc/pam.d/ must include the following lines:
auth sufficient /lib/security/pam_timestamp.so
session optional /lib/security/pam_timestamp.so
The first line that begins with auth should be after any other auth
sufficient lines, and the line that begins with session should be after any
other session optional lines.
If an application configured to use pam_timestamp is successfully
authenticated from the Main Menu Button (on the Panel), the icon is
displayed in the notification area of the panel if you are running the GNOME
or KDE desktop environment. After the authentication expires (the default is
five minutes), the icon disappears.
The user can select to forget the cached authentication by clicking on the
icon and selecting the option to forget authentication.
Making Files Accessible Up The floppy Group
From the Console
Red Hat Enterprise Linux 4: System
Administration Guide
20.6. The floppy Group
If, for whatever reason, console access is not appropriate for you and your
nonroot users are required access to your system's diskette drive, this can
be done using the floppy group. Add the user(s) to the floppy group using
the tool of your choice. For example, the gpasswd command can be used to
add user fred to the floppy group:
Now, user fred is able to access the system's diskette drive from the
console.
Prev Home Next
Enabling Console Up Date and Time
Access for Other Configuration
Applications