Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-libs/pam/files/README.pam_console
blob: a8c3582ab593851a49958fd8e22871fbccb993b5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

Introduction
============

pam_console is a module for PAM (Pluggable Authentication Modules) designed to
give users that log locally in a system ("owning the console" in technical
terms) privileges that they would not otherwise have, and to take those
privileges away when they are no longer logged in.

When a user logs in at the console and no other user is currently logged in,
pam_console will change permissions and ownership of some of the device files,
to allow, for instance, access to the audio devices, or to the cdrom drives.
Those permissions are read from a configuration file
(/etc/security/console.perms).

To know more about pam_console, run 'man pam_console' and 'man console.perms'.


Gentoo and pam_console
======================

In a Gentoo system pam_console is disabled by default, and users are allowed
to access specific devices if they are member of particular groups (e.g. they
have to be members of the audio group to access audio devices).

However, Gentoo gives you the possibility to enable pam_console, you just have
to follow these advices:

1) Make sure you compiled sys-libs/pam with USE="pam_console", otherwise the
   pam_console module will not be built.

2) In /etc/pam.d/login, add the following line:

  session    optional     pam_console.so

   Thus, pam_console will apply permissions from /etc/security/console.perms
   when you log in in text consoles.
   Do the same with /etc/pam.d/xdm if you login through xdm, with /etc/pam.d/kde
   if you login through kdm, and so on.

   Alternatively (but not recommended), you can add the line above to
   /etc/pam.d/system-auth so that pam_console will be enabled everywhere.
   
3) If you're using devfs, add the following lines in /etc/devfsd.conf:

  REGISTER  .*  CFUNCTION /lib/security/pam_console_apply_devfsd.so\
                    pam_console_apply_single $devpath

   In this way, permissions from /etc/security/console.perms will be applied
   also to those devices that are created dynamically.

4) If you're using udev, create a file in /etc/dev.d/default/ ending with
   '.dev', for instance /etc/dev.d/default/pam_console.dev, containing the
   following lines:

  #!/bin/sh
  exec /usr/sbin/pam_console_apply
 
   and make it executable:

  chmod +x /etc/dev.d/default/pam_console.dev

   In this way, pam_console will reevaluate permissions from
   /etc/security/console.perms each time a device is dynamically created.

   Another possible way to obtain the same result is to use the RUN key
   in udev rules (see the udev documentation for more info).

5) Tweak /etc/security/console.perms to your own needs.