Disabling Console Program Access; Defining The Console; Making Files Accessible From The Console - Red Hat ENTERPRISE LINUX 4 System Administration Manual
Hide thumbs
Also See for ENTERPRISE LINUX 4:
- Manual (410 pages) ,
- Administration manual (200 pages) ,
- Installation manual (110 pages)
Table of Contents
Advertisement
Chapter 27. Console Access
shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the
system continues; if not, an error message is written to the system console instead.
For more information on shutdown.allow, refer to the shutdown man page.
27.2. Disabling Console Program Access
To disable access by users to console programs, run the following command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and boot loader passwords are set,
Ctrl+Alt+Delete is disabled, the power and reset switches are disabled, and so forth), you may
not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible
from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroffrm -f /etc/security/console.apps/haltrm -f /etc/
security/console.apps/reboot
27.3. Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the
permissions for users at the system console. The syntax of the file is very flexible; you can edit the file
so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, either an X server with a name
like :0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The
default is to define that local virtual consoles and local X servers are considered local, but if you want
to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that
line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
27.4. Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the
appropriate device. For example, you could add the following line:
274
Advertisement
Table of Contents
