Chapter 5. Console Access
- They can run certain programs that they otherwise cannot run.
- They can access certain files that they otherwise cannot access. These files normally include special device files used to access diskettes, CD-ROMs, and so on.
5.1. Disabling Console Program Access for Non-root Users
/etc/security/console.apps/directory. To list these programs, run the following command:
ls /etc/security/console.appsabrt-cli-root config-util eject halt poweroff reboot rhn_register setup subscription-manager subscription-manager-gui system-config-network system-config-network-cmd xserver
/etc/security/console.apps/resides in the
/etc/pam.d/directory and is named the same as the program. Using this file, you can configure PAM to deny access to the program if the user is not root. To do that, insert line
auth requisite pam_deny.sodirectly after the first uncommented line
auth sufficient pam_rootok.so.
Example 5.1. Disabling Access to the Reboot Program
/etc/security/console.apps/reboot, insert line
auth requisite pam_deny.sointo the
/etc/pam.d/rebootPAM configuration file:
#%PAM-1.0 auth sufficient pam_rootok.so auth requisite pam_deny.so auth required pam_console.so #auth include system-auth account required pam_permit.so
rebootutility is disabled.
/etc/security/console.apps/partially derive their PAM configuration from the
/etc/pam.d/config-utilconfiguration file. This allows to change configuration for all these programs at once by editing
/etc/pam.d/config-util. To find all these programs, search for PAM configuration files that refer to the
grep -l "config-util" /etc/pam.d/*/etc/pam.d/abrt-cli-root /etc/pam.d/rhn_register /etc/pam.d/subscription-manager /etc/pam.d/subscription-manager-gui /etc/pam.d/system-config-network /etc/pam.d/system-config-network-cmd
reboot, and other programs, which by default are accessible from the console.