Red Hat Enterprise Linux 4: System Administration Guide Prev
Next
V. System Configuration Part of a system administrator's job is configuring the system for various tasks, types of users, and hardware configurations. This section explains how to configure a Red Hat Enterprise Linux system. Table of Contents 20. Console Access 21. Date and Time Configuration 22. Keyboard Configuration 23. Mouse Configuration 24. X Window System Configuration 25. User and Group Configuration 26. Printer Configuration 27. Automated Tasks 28. Log Files 29. Manually Upgrading the Kernel 30. Kernel Modules 31. Mail Transport Agent (MTA) Configuration Prev
Home
Command Line Version
Console Access
Red Hat Enterprise Linux 4: System Administration Guide Prev
Next
Next
Chapter 20. Console Access
When normal (nonroot) users log into a computer locally, they are given two types of special permissions: 1. They can run certain programs that they would not otherwise be able to run 2. They can access certain files (normally special device files used to access diskettes, CDROMs, and so on) that they would not otherwise be able to access Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files. In contrast, every user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the consoleaccessible programs include halt, poweroff, and reboot.
20.1. Disabling Shutdown Via [Ctrl][Alt] [Del]
By default, /etc/inittab specifies that your system is set to shutdown and reboot in response to a [Ctrl][Alt][Del] key combination used at the console. To completely disable this ability, comment out the following line in /etc/inittab by putting a hash mark (#) in front of it: ca::ctrlaltdel:/sbin/shutdown -t3 -r now Alternatively, you may want to allow certain nonroot users the right to shutdown or reboot the system from the console using [Ctrl][Alt] [Del]. You can restrict this privilege to certain users, by taking the following steps: 1. Add the a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now 2. The -a flag tells shutdown to look for the /etc/shutdown.allow file. 3. Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using [Ctrl][Alt][Del]. The format of the shutdown.allow file is a list of usernames, one per line, like the following: stephen jack sophie According to this example shutdown.allow file, the users stephen, jack, and sophie are allowed to shutdown the system from the console using [Ctrl][Alt][Del]. When that key combination is used, the shutdown -a command in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead. For more information on shutdown.allow, refer to the shutdown man page. Prev
Home
System Configuration
Up
Next Disabling Console Program Access
Red Hat Enterprise Linux 4: System Administration Guide Prev
Chapter 20. Console Access
Next
20.2. Disabling Console Program Access
To disable access by users to console programs, run the following command as root: rm -f /etc/security/console.apps/* In environments where the console is otherwise secured (BIOS and boot loader passwords are set, [Ctrl][Alt][Delete] is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default. To remove these abilities, run the following commands as root: rm -f /etc/security/console.apps/poweroff rm -f /etc/security/console.apps/halt rm -f /etc/security/console.apps/reboot Prev
Home
Console Access
Up
Next Defining the Console
Red Hat Enterprise Linux 4: System Administration Guide Prev
Chapter 20. Console Access
Next
20.3. Defining the Console The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this: =tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual
consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read: =tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1 Prev
Home
Disabling Console Program Access
Up
Next Making Files Accessible From the Console
Red Hat Enterprise Linux 4: System Administration Guide Prev
Chapter 20. Console Access
Next
20.4. Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like: =/dev/fd[0-1]* \ /dev/floppy/* /mnt/floppy* <sound>=/dev/dsp* /dev/audio* /dev/midi* \ /dev/mixer* /dev/sequencer \ /dev/sound/* /dev/beep \ /dev/snd/* =/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom* You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line: <scanner>=/dev/scanner /dev/usb/scanner*
(Of course, make sure that /dev/scanner is really your scanner and not, say, your hard drive.) That is the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to: 0660 0660 root.floppy 0600 <sound> 0640 root 0600 0600 root.disk and add a line like: 0600 <scanner> 0600 root Then, when you log in at the console, you are given ownership of the /dev/scanner device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root and still has the permissions 0600 (now readable and writable by root only). Prev
Home
Defining the Console
Up
Next Enabling Console Access for Other Applications
Red Hat Enterprise Linux 4: System Administration Guide Prev
Chapter 20. Console Access
Next
20.5. Enabling Console Access for Other Applications
To make other applications accessible to console users, a bit more work is required.
First of all, console access only works for applications which reside in /sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, do the following steps: 1. Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application: cd /usr/bin ln -s consolehelper foo 2. Create the file /etc/security/console.apps/foo: touch /etc/security/console.apps/foo 3. Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior: cp /etc/pam.d/halt /etc/pam.d/foo Now, when /usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions. In the PAM configuration file, an application can be configured to use the pam_timestamp module to remember (or cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again. This module is included in the pam package. To enable this feature, the PAM configuration file in etc/pam.d/ must include the following lines:
auth sufficient /lib/security/pam_timestamp.so session optional /lib/security/pam_timestamp.so The first line that begins with auth should be after any other auth sufficient lines, and the line that begins with session should be after any other session optional lines. If an application configured to use pam_timestamp is successfully authenticated from the Main Menu Button (on the Panel), the
icon is
displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears. The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication. Prev
Home
Making Files Accessible From the Console
Up
Next The floppy Group
Red Hat Enterprise Linux 4: System Administration Guide Prev
Chapter 20. Console Access
Next
20.6. The floppy Group If, for whatever reason, console access is not appropriate for you and your nonroot users are required access to your system's diskette drive, this can be done using the floppy group. Add the user(s) to the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group: gpasswd -a fred floppy Now, user fred is able to access the system's diskette drive from the console.
Prev Enabling Console Access for Other Applications
Home Up
Next Date and Time Configuration