Pam And Device Ownership - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

/sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/null
Failure to use this command will only remove the credentials (if any) from the pty where you run the
command.
Refer to the pam_timestamp_check man page for more information about destroying the timestamp
file using pam_timestamp_check.
43.4.6.2. Common pam_timestamp Directives
The pam_timestamp.so module accepts several directives. The following are the two most
commonly used options:
• timestamp_timeout — Specifies the period (in seconds) for which the timestamp file is valid. The
default value is 300 (five minutes).
• timestampdir — Specifies the directory in which the timestamp file is stored. The default value is
/var/run/sudo/.
Section 43.4.8.1, "Installed Documentation"
Refer to
pam_timestamp.so module.

43.4.7. PAM and Device Ownership

In Red Hat Enterprise Linux, the first user who logs in at the physical console of the machine can
manipulate certain devices and perform certain tasks normally reserved for the root user. This is
controlled by a PAM module called pam_console.so.
43.4.7.1. Device Ownership
When a user logs in to a Red Hat Enterprise Linux system, the pam_console.so module is called
by login or the graphical login programs, gdm, kdm, and xdm. If this user is the first user to log in
at the physical console — referred to as the console user — the module grants the user ownership of
a variety of devices normally owned by root. The console user owns these devices until the last local
session for that user ends. After this user has logged out, ownership of the devices reverts back to the
root user.
The devices affected include, but are not limited to, sound cards, diskette drives, and CD-ROM drives.
This facility allows a local user to manipulate these devices without obtaining root access, thus
simplifying common tasks for the console user.
You can modify the list of devices controlled by pam_console.so by editing the following files:
• /etc/security/console.perms
• /etc/security/console.perms.d/50-default.perms
You can change the permissions of different devices than those listed in the above files, or override
the specified defaults. Rather than modify the 50-default.perms file, you should create a new file
(for example, xx-name.perms) and enter the required modifications. The name of the new default file
must begin with a number higher than 50 (for example, 51-default.perms). This will override the
defaults in the 50-default.perms file.
PAM and Device Ownership
for more information about controlling the
649