Software Subscriptions Professional Services Solutions Support and Docs Training About Red Hat
login/logoutbecome a member downloadstorecart
red hat logo
redhat.comredhat network
Red Hat Docs  >  Whitepapers  > 
 

White Paper: Enhanced Console Access


< Prev Contents Next >

The Solutions

Red Hat Linux 6.0 includes solutions to both the device and X access problems, and the solutions are automatic. You do not need to know how to set up anything; by default, users at the physical console are able to use devices like floppy and sound, and to cleanly shut down the machine. X applications just work when you use the su command to assume the privileges of the superuser. If you would like to know how this works, or would like to customize or even disable these solutions, read on.

The solution to each of the two access problems was to implement a PAM module. PAM (Pluggable Authentication Modules) is a way of generalizing authentication so that it can be changed on a per-application basis without recompiling applications, but it also deals with some other things that happen at the same time as authentication. In particular, it manages sessions.

When you log in, a session is started, and when you log out, that session is terminated. Likewise, a session exists for the lifetime of any interactive invocation of the su command.

Red Hat Software wrote two new PAM modules, pam_console and pam_xauth, both of which manage sessions. The first checks every login to see if it is a console session—that is, if it is originating from the physical console—and modifies system file permissions appropriately, and the second module is invoked from su to pass around the keys that are used to keep X secure.

The pam_console module also includes an authentication component. Non-root users are now allowed to run the shutdown command if they are at the console and provide their own password (not the root password). This is done by providing a /usr/bin/shutdown link to the new consolehelper program which uses PAM to authenticate that the user is on the console and then invokes the real shutdown program with full root privileges.

Another excellent use of the pam_console module is that X can now only be started from the system console. In the past, it has been possible for remote users to start X on the system console. In Red Hat Linux 6.0, the xwrapper program which starts X uses pam_console to ensure that users are physically located at the system console. (This check is, of course, not applied to the superuser.)


< Prev Contents Next >
 
Product Highlight
 

 
 


 
Copyright © 2002 Red Hat, Inc. All rights reserved. Search by Google
Careers at Red Hat : Legal statement : Privacy statement : Your Account : Contact Red Hat