Enabling Console Access For Other Applications - Red Hat ENTERPRISE LINUX 3 System Administration Manual

Chapter 30. Console Access
/dev/sound/* /dev/beep
< cdrom > =/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the
appropriate device. For example, you could add the following line:
< scanner > =/dev/scanner /dev/usb/scanner*
(Of course, make sure that
That is the first step. The second step is to define what is done with those files. Look in the last section
of
/etc/security/console.perms
< console > 0660 < floppy > 0660 root.floppy
< console > 0600 < sound >
< console > 0600 < cdrom >
and add a line like:
< console > 0600 < scanner > 0600 root
Then, when you log in at the console, you are given ownership of the
permissions of 0600 (readable and writable by you only). When you log out, the device is owned by
root and still has the permissions 0600 (now readable and writable by root only).

30.6. Enabling Console Access for Other Applications

To make other applications accessible to console users, a bit more work is required.
First of all, console access only works for applications which reside in
the application that you wish to run must be there. After verifying that, do the following steps:
1. Create a link from the name of your application, such as our sample
/usr/bin/consolehelper
cd /usr/bin
consolehelper foo
ln -s
2. Create the file
touch /etc/security/console.apps/foo
3. Create a PAM configuration file for the
to start with a copy of the halt service's PAM configuration file, and then modify the file if you
want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when
/usr/bin/foo
the help of
/usr/sbin/userhelper
password if
/etc/pam.d/foo
specified in
/etc/pam.d/foo
In the PAM configuration file, an application can be configured to use the pam_timestamp module
to remember (cache) a successful authentication attempt. When an application is started and proper
authentication is provided (the root password), a timestamp file is created. By default, a successful
authentication is cached for five minutes. During this time, any other application that is configured to
use
pam_timestamp
user does not have to enter the root password again.
This module is included in the
must include the following lines:
etc/pam.d/
/dev/scanner
for lines similar to:
0640 root
0600 root.disk
application:
/etc/security/console.apps/foo
is executed,
consolehelper
. To authenticate the user,
is a copy of
) and then runs
and run from the same session is automatically authenticated for the user — the
package. To enable this feature, the PAM configuration file in
pam
is really your scanner and not, say, your hard drive.)
:
service in
foo /etc/pam.d/
is called, which authenticates the user with
/etc/pam.d/halt
/usr/sbin/foo
/dev/scanner
or
/sbin/ /usr/sbin/
program, to the
foo
. An easy way to do this is
asks for the user's
consolehelper
(otherwise, it does precisely what is
with root permissions.
231
device with the
, so