| View previous topic :: View next topic |
| Author |
Message |
t35t0r
n00b
Joined: 27 Feb 2005
Posts: 68
Location: irc.freenode.net
|
 Posted: Fri Nov 09, 2007 5:05 am Post subject: pam_console HOWTO |
 |
|
I was going to put this in gentoo-wiki but since it's dead I'll share it here.
pam_console is a way to setup permissions on device files for the main console user and do other things when a user logs in. It's used in RHEL/Fedora but may also be used in other distros. It provides a way for the console user to get access to /dev/cdrw, /dev/snd/*, etc files without needing to be in the audio, burning, or other groups. This is especially helpful in heterogeneous networked environments where NFS is in heavy use and users can be in many groups. Not having to be in these extra local "gentoo" specific groups saves the 16 group NFS limit for other important groups shared across machines over NFS.
It looks like it can also chown mount points to the console user, such as /mnt/floppy and /mnt/memstick when the user inserts these devices into the system. Not sure how these mount directories automatically show up (may require hal/dbus).
1) emerge -av pam_console
2) su -
3) cp /etc/security/console.perms /etc/security/console.perms.bak
4) I grabbed the following /etc/security/console.perms file from a RHEL4 system, take this file and put it in your /etc/security directory overwriting the old one:
| Code: |
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
<xconsole>=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner* /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash* /dev/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx*
<mainboard>=/dev/apm_bios
<pmu>=/dev/pmu
<bluetooth>=/dev/rfcomm*
<raw1394>=/dev/raw1394
# permission definitions
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <sound> 0600 root
<console> 0600 <cdrom> 0660 root.disk
<console> 0600 <pilot> 0660 root.uucp
<console> 0600 <jaz> 0660 root.disk
<console> 0600 <zip> 0660 root.disk
<console> 0600 <ls120> 0660 root.disk
<console> 0600 <scanner> 0600 root
<console> 0600 <camera> 0600 root.disk
<console> 0600 <memstick> 0600 root.disk
<console> 0600 <flash> 0600 root.disk
<console> 0600 <diskonkey> 0660 root.disk
<console> 0600 <rem_ide> 0660 root.disk
<console> 0600 <fb> 0600 root
<console> 0600 <kbd> 0600 root
<console> 0600 <joystick> 0600 root
<console> 0600 <v4l> 0600 root
<console> 0700 <gpm> 0700 root
<console> 0600 <mainboard> 0600 root
<console> 0600 <rio500> 0600 root
<console> 0600 <pmu> 0600 root
<console> 0600 <bluetooth> 0600 root
<console> 0600 <raw1394> 0600 root
<xconsole> 0600 /dev/console 0600 root.root
<xconsole> 0600 <dri> 0600 root
|
5) in /etc/pam.d/login uncomment the following line:
| Code: | | #session optional pam_console.so |
6) If you use gdm, xdm, or kdm as a login manager add the following line to the end of /etc/pam.d/gdm and /etc/pam.d/gdm-autologin (for gdm), /etc/pam.d/xdm (for xdm), or /etc/pam.d/kdm and /etc/pam.d/kdm-np (for kdm):
| Code: | | session optional pam_console.so |
7) I also found pam_console being used in these other /etc/pam.d files on RHEL4, not sure how it exactly affects the installation so I didn't include them (files discussed in steps above not shown again below):
| Code: |
# grep pam_console *
halt:auth required pam_console.so
kbdrate:auth required pam_console.so
kcheckpass:session optional pam_console.so
kscreensaver:session optional pam_console.so
poweroff:auth required pam_console.so
reboot:auth required pam_console.so
remote:session optional pam_console.so
xserver:auth required pam_console.so
|
8) finally you can make a backup of your /etc/group file, remove yourself from tty, audio, cdrom, cdrw, video, and usb groups. pam_console should take care of the permissions when you logout and log back in. |
|
| Back to top |
|
 |
96140
Retired Dev
Joined: 23 Jan 2005
Posts: 1324
|
| Posted: Fri Nov 09, 2007 5:40 am Post subject: |
|
|
--
Last edited by 96140 on Fri Sep 13, 2013 8:55 am; edited 1 time in total |
|
| Back to top |
|
|
t35t0r
n00b
Joined: 27 Feb 2005
Posts: 68
Location: irc.freenode.net
|
| Posted: Fri Nov 30, 2007 4:36 am Post subject: |
|
|
| Quote: | | pam_console is deprecated, dead, and useless. You should be using consolekit instead, as explained in this guide. |
I saw that guide before writing the howto, but I'm still using pam_console because I don't see how exactly to use consolekit to do what I'm attempting. There are no guides or anything just a bunch of foundation apis. How exactly do I use consolekit without jumping to a rawhide distro? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Unsupported Software
