7.6. Configure Pluggable Authentication Modules

The Pluggable Authentication Module system can be used to give special privileges to users that logged in through the console. It is used to make devices like the floppy disk mountable by the console's user; usually they would need to become the super-user to mount a disk.

The PAM configuration file /etc/security/console.perms contains the <console> variable. For Red Hat Linux 7.1 <console> is the regular expression:

Figure 7-9. Default <console> in console.perms refers to attached keyboard and screen

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

Later in the file the <console> user is granted permission to use some devices. This is done by altering the devices' permissions upon login and logout.

Figure 7-10. Default device listing in console.perms

<console>  0660 <floppy>     0660 root.floppy
<console>  0600 <sound>      0600 root
<console>  0600 <cdrom>      0660 root.disk
<console>  0600 <pilot>      0660 root.uucp
<console>  0600 <jaz>        0660 root.disk
<console>  0600 <zip>        0660 root.disk
<console>  0600 <ls120>      0660 root.disk
<console>  0600 <scanner>    0600 root
<console>  0600 <camera>     0600 root
<console>  0600 <memstick>   0600 root
<console>  0600 <flash>      0600 root
<console>  0600 <fb>         0600 root
<console>  0600 <kbd>        0600 root
<console>  0600 <joystick>   0600 root
<console>  0600 <v4l>        0600 root
<console>  0700 <gpm>        0700 root
<console>  0600 <mainboard>  0600 root
<console>  0600 <rio500>     0600 root

There are two types of devices listed above: those devices required by someone connecting from an attached keyboard and monitor and those devices that allow convenient access to devices. The configuration file fails to make the distionction between logical and physical console noted in Section 1.3. The configuration file is modified to create that distinction.

Figure 7-11. Devices in console.perms required for attached keyboard and screen

<console>  0600 <fb>         0600 root
<console>  0600 <kbd>        0600 root
<console>  0600 <joystick>   0600 root
<console>  0600 <v4l>        0600 root
<console>  0700 <gpm>        0700 root

The remaining devices should be altered to give control only to people attaching from the serial console. For example, we don't want an unprivileged user at a co-location site mounting a floppy disk. Define a new console type for the serial console, say <sconsole>.

Figure 7-12. Add <sconsole> in console.perms to refer to serial console

<sconsole>=ttyS0

Now modify the remaining entries from <console> to <sconsole>.

Figure 7-13. Remaining devices in console.perms altered to refer to serial console

<sconsole>  0660 <floppy>     0660 root.floppy
<sconsole>  0600 <sound>      0600 root
<sconsole>  0600 <cdrom>      0660 root.disk
<sconsole>  0600 <pilot>      0660 root.uucp
<sconsole>  0600 <jaz>        0660 root.disk
<sconsole>  0600 <zip>        0660 root.disk
<sconsole>  0600 <ls120>      0660 root.disk
<sconsole>  0600 <scanner>    0600 root
<sconsole>  0600 <camera>     0600 root
<sconsole>  0600 <memstick>   0600 root
<sconsole>  0600 <flash>      0600 root
<sconsole>  0600 <mainboard>  0600 root
<sconsole>  0600 <rio500>     0600 root

HOWTOs

7.6. Configure Pluggable Authentication Modules