Disabling Console Program Access; Defining The Console; Making Files Accessible From The Console - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Chapter 27. Console Access
27.2. Disabling Console Program Access
To disable access by users to console programs, run the following command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and boot loader passwords are set,
Ctrl+Alt+Delete is disabled, the power and reset switches are disabled, and so forth), you may
not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible
from the console by default.
To disable these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
27.3. Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the
permissions for users at the system console. The syntax of the file is very flexible; you can edit the file
so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, which can be either an X server
with a name like :0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/
pts/2. The default is to define that local virtual consoles and local X servers are considered local, but
if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can
change that line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
27.4. Making Files Accessible From the Console
The default settings for individual device classes and permission definitions are defined in /etc/
security/console.perms.d/50-default.perms. To edit file and device permissions, it is
advisable to create a new default file in /etc/security/console.perms.d/ containing your
preferred settings for a specified set of files or devices. The name of the new default file must
begin with a number higher than 50 (for example, 51-default.perms) in order to override 50-
default.perms.
To do this, create a new file named 51-default.perms in /etc/security/console.perms.d/:
touch /etc/security/console.perms.d/51-default.perms
428
Advertisement
Table of Contents
Need help?
Do you have a question about the ENTERPRISE LINUX 5 - DEPLOYMENT and is the answer not in the manual?
Questions and answers