Chapter 5. Console Access
When normal (non-root) users log into a computer locally, they are given two types of special permissions:
- They can run certain programs that they otherwise cannot run.
- They can access certain files that they otherwise cannot access. These files normally include special device files used to access diskettes, CD-ROMs, and so on.
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.
In contrast, every user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, these console-accessible programs include
5.1. Disabling Console Program Access for Non-root Users
Non-root users can be denied console access to any program in the
/etc/security/console.apps/directory. To list these programs, run the following command:
ls /etc/security/console.appsabrt-cli-root config-util eject halt poweroff reboot rhn_register setup subscription-manager subscription-manager-gui system-config-network system-config-network-cmd xserver
For each of these programs, console access denial can be configured using the program's Pluggable Authentication Module (PAM) configuration file. For information about PAMs and their usage, see chapter Pluggable Authentication Modules of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
PAM configuration file for each program in
/etc/security/console.apps/resides in the
/etc/pam.d/directory and is named the same as the program. Using this file, you can configure PAM to deny access to the program if the user is not root. To do that, insert line
auth requisite pam_deny.sodirectly after the first uncommented line
auth sufficient pam_rootok.so.
Example 5.1. Disabling Access to the Reboot Program
To disable non-root console access to
/etc/security/console.apps/reboot, insert line
auth requisite pam_deny.sointo the
/etc/pam.d/rebootPAM configuration file:
#%PAM-1.0 auth sufficient pam_rootok.so auth requisite pam_deny.so auth required pam_console.so #auth include system-auth account required pam_permit.so
With this setting, all non-root access to the
rebootutility is disabled.
Additionally, several programs in
/etc/security/console.apps/partially derive their PAM configuration from the
/etc/pam.d/config-utilconfiguration file. This allows to change configuration for all these programs at once by editing
/etc/pam.d/config-util. To find all these programs, search for PAM configuration files that refer to the
grep -l "config-util" /etc/pam.d/*/etc/pam.d/abrt-cli-root /etc/pam.d/rhn_register /etc/pam.d/subscription-manager /etc/pam.d/subscription-manager-gui /etc/pam.d/system-config-network /etc/pam.d/system-config-network-cmd
Disabling console program access as described above may be useful in environments where the console is otherwise secured. Security measures may include password protection for BIOS and boot loader, disabling rebooting on pressing Ctrl+Alt+Delete, disabling the power and reset switches, and other. In these cases, you may want to restrict normal user's access to
reboot, and other programs, which by default are accessible from the console.