|
Packit |
7e982e |
.\" Copyright 1999 Red Hat Software, Inc.
|
|
Packit |
7e982e |
.\" Written by Michael K. Johnson <johnsonm@redhat.com>
|
|
Packit |
7e982e |
.TH pam_console 8 2005/10/4 "Red Hat" "System Administrator's Manual"
|
|
Packit |
7e982e |
.SH NAME
|
|
Packit |
7e982e |
pam_console \- determine user owning the system console
|
|
Packit |
7e982e |
.SH SYNOPSIS
|
|
Packit |
7e982e |
.B session optional pam_console.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
.B auth required pam_console.so
|
|
Packit |
7e982e |
.SH DESCRIPTION
|
|
Packit |
7e982e |
pam_console.so is designed to give users at the physical console
|
|
Packit |
7e982e |
(virtual terminals and local xdm-managed X sessions by default, but
|
|
Packit |
7e982e |
that is configurable) capabilities that they would not otherwise have,
|
|
Packit |
7e982e |
and to take those capabilities away when the are no longer logged in at
|
|
Packit |
7e982e |
the console. It provides two main kinds of capabilities: file permissions
|
|
Packit |
7e982e |
and authentication.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
When a user logs in at the console and \fBno other user is currently
|
|
Packit |
7e982e |
logged in at the console\fP, pam_console.so will run handler programs
|
|
Packit |
7e982e |
specified in the file /etc/security/console.handlers such as
|
|
Packit |
7e982e |
pam_console_apply which changes permissions and ownership of files as
|
|
Packit |
7e982e |
described in the file /etc/security/console.perms.
|
|
Packit |
7e982e |
That user may then log in on other terminals that are considered part
|
|
Packit |
7e982e |
of the console, and as long as the user is still logged in at any one
|
|
Packit |
7e982e |
of those terminals, that user will own those devices. When the user
|
|
Packit |
7e982e |
logs out of the last terminal, the console may be taken by the next
|
|
Packit |
7e982e |
user to log in. Other users who have logged in at the console during
|
|
Packit |
7e982e |
the time that the first user was logged in will not be given ownership
|
|
Packit |
7e982e |
of the devices unless they log in on one of the terminals; having done
|
|
Packit |
7e982e |
so on any one terminal, the next user will own those devices until
|
|
Packit |
7e982e |
he or she has logged out of every terminal that is part of the physical
|
|
Packit |
7e982e |
console. Then the race can start for the next user. In practice, this
|
|
Packit |
7e982e |
is not a problem; the physical console is not generally in use by many
|
|
Packit |
7e982e |
people at the same time, and pam_console.so just tries to do the right
|
|
Packit |
7e982e |
thing in weird cases.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
When an application attempts to authenticate the user \fBand this user
|
|
Packit |
7e982e |
is already logged in at the console\fP, pam_console.so checks whether
|
|
Packit |
7e982e |
there is a file in /etc/security/console.apps/ directory with the same name
|
|
Packit |
7e982e |
as the application servicename, and if such a file exists, authentication
|
|
Packit |
7e982e |
succeeds. This way pam_console may be utilized to run some system
|
|
Packit |
7e982e |
applications (reboots, config tools) without root password,
|
|
Packit |
7e982e |
or to enter user password on the first system login only.
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
.SH ARGUMENTS
|
|
Packit |
7e982e |
.IP debug
|
|
Packit |
7e982e |
turns on debugging
|
|
Packit |
7e982e |
.IP allow_nonroot_tty
|
|
Packit |
7e982e |
gain console locks and change permissions even if the TTY's owner is not root.
|
|
Packit |
7e982e |
.IP handlersfile=\fIfilename\fP
|
|
Packit |
7e982e |
tells pam_console.so to get the list of the handlers from a different
|
|
Packit |
7e982e |
file than /etc/security/console.handlers
|
|
Packit |
7e982e |
.\" .IP glob
|
|
Packit |
7e982e |
.\" \fBnot yet implemented\fP interpret strings as globs instead of
|
|
Packit |
7e982e |
.\" regexp expressions.
|
|
Packit |
7e982e |
.SH EXAMPLE
|
|
Packit |
7e982e |
\fB/etc/pam.d/some-system-tool\fP:
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
auth sufficient pam_rootok.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
auth required pam_console.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
\fB/etc/pam.d/some-login-service\fP:
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
auth sufficient pam_console.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
auth required pam_unix.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
session required pam_unix.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
session optional pam_console.so
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
.SH FILES
|
|
Packit |
7e982e |
\fI/var/run/console/\fP
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
\fI/var/run/console/console.lock\fP
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
\fI/etc/security/console.apps\fP
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
\fI/etc/security/console.handlers\fP
|
|
Packit |
7e982e |
.SH SECURITY NOTES
|
|
Packit |
7e982e |
When pam_console "auth" is used for login services which provide
|
|
Packit |
7e982e |
possibility of remote login, it is necessary to make sure the application
|
|
Packit |
7e982e |
correctly sets PAM_RHOST variable, or to deny remote logins completely.
|
|
Packit |
7e982e |
Currently, /bin/login (invoked from telnetd) and gdm is OK, others may be not.
|
|
Packit |
7e982e |
.SH "SEE ALSO"
|
|
Packit |
7e982e |
.BR console.perms (5)
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
.BR console.apps (5)
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
.BR console.handlers (5)
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
.BR pam_console_apply (8)
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
\fI/usr/share/doc/pam*/html/index.html\fP
|
|
Packit |
7e982e |
.SH BUGS
|
|
Packit |
7e982e |
Let's hope not, but if you find any, please report them via the "Bug Track"
|
|
Packit |
7e982e |
link at http://bugzilla.redhat.com/bugzilla/
|
|
Packit |
7e982e |
.SH AUTHORS
|
|
Packit |
7e982e |
Michael K. Johnson <johnsonm@redhat.com>
|
|
Packit |
7e982e |
.br
|
|
Packit |
7e982e |
Support of console.handlers and other improvements by
|
|
Packit |
7e982e |
Tomas Mraz <tmraz@redhat.com>
|