Chapter 5. Console Access

When normal (non-root) users log into a computer locally, they are given two types of special permissions:
  1. They can run certain programs that they otherwise cannot run.
  2. They can access certain files that they otherwise cannot access. These files normally include special device files used to access diskettes, CD-ROMs, and so on.
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.
In contrast, every user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, these console-accessible programs include halt, poweroff, and reboot.

5.1. Disabling Console Program Access for Non-root Users

Non-root users can be denied console access to any program in the /etc/security/console.apps/ directory. To list these programs, run the following command:
~]$ ls /etc/security/console.apps
abrt-cli-root
config-util
eject
halt
poweroff
reboot
rhn_register
setup
subscription-manager
subscription-manager-gui
system-config-network
system-config-network-cmd
xserver
For each of these programs, console access denial can be configured using the program's Pluggable Authentication Module (PAM) configuration file. For information about PAMs and their usage, see chapter Pluggable Authentication Modules of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
PAM configuration file for each program in /etc/security/console.apps/ resides in the /etc/pam.d/ directory and is named the same as the program. Using this file, you can configure PAM to deny access to the program if the user is not root. To do that, insert line auth requisite pam_deny.so directly after the first uncommented line auth sufficient pam_rootok.so.

Example 5.1. Disabling Access to the Reboot Program

To disable non-root console access to /etc/security/console.apps/reboot, insert line auth requisite pam_deny.so into the /etc/pam.d/reboot PAM configuration file:
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth        requisite   pam_deny.so
auth       required     pam_console.so
#auth       include     system-auth
account    required     pam_permit.so
With this setting, all non-root access to the reboot utility is disabled.
Additionally, several programs in /etc/security/console.apps/ partially derive their PAM configuration from the /etc/pam.d/config-util configuration file. This allows to change configuration for all these programs at once by editing /etc/pam.d/config-util. To find all these programs, search for PAM configuration files that refer to the config-util file:
~]# grep -l "config-util" /etc/pam.d/*
/etc/pam.d/abrt-cli-root
/etc/pam.d/rhn_register
/etc/pam.d/subscription-manager
/etc/pam.d/subscription-manager-gui
/etc/pam.d/system-config-network
/etc/pam.d/system-config-network-cmd
Disabling console program access as described above may be useful in environments where the console is otherwise secured. Security measures may include password protection for BIOS and boot loader, disabling rebooting on pressing Ctrl+Alt+Delete, disabling the power and reset switches, and other. In these cases, you may want to restrict normal user's access to halt, poweroff, reboot, and other programs, which by default are accessible from the console.