1pam_console(8)           System Administrator's Manual          pam_console(8)
2
3
4

NAME

6       pam_console - determine user owning the system console
7

SYNOPSIS

9       session optional pam_console.so
10       auth required pam_console.so
11

DESCRIPTION

13       pam_console.so  is designed to give users at the physical console (vir‐
14       tual terminals and local xdm-managed X sessions by default, but that is
15       configurable)  capabilities  that they would not otherwise have, and to
16       take those capabilities away when the are no longer logged  in  at  the
17       console.   It provides two main kinds of capabilities: file permissions
18       and authentication.
19
20       When a user logs in at the console  and  no  other  user  is  currently
21       logged  in  at  the  console,  pam_console.so will run handler programs
22       specified in the file /etc/security/console.handlers such  as  pam_con‐
23       sole_apply   which  changes  permissions  and  ownership  of  files  as
24       described in the file /etc/security/console.perms.  That user may  then
25       log  in on other terminals that are considered part of the console, and
26       as long as the user is still logged in at any one of  those  terminals,
27       that  user  will own those devices.  When the user logs out of the last
28       terminal, the console may be taken by the next user to log  in.   Other
29       users  who have logged in at the console during the time that the first
30       user was logged in will not be given ownership of  the  devices  unless
31       they  log  in on one of the terminals; having done so on any one termi‐
32       nal, the next user will own those devices until he or  she  has  logged
33       out  of  every terminal that is part of the physical console.  Then the
34       race can start for the next user.  In practice, this is not a  problem;
35       the physical console is not generally in use by many people at the same
36       time, and pam_console.so just tries to do  the  right  thing  in  weird
37       cases.
38
39       When  an application attempts to authenticate the user and this user is
40       already logged in at the console, pam_console.so checks  whether  there
41       is  a  file in /etc/security/console.apps/ directory with the same name
42       as the application servicename, and if such a file exists,  authentica‐
43       tion  succeeds. This way pam_console may be utilized to run some system
44       applications (reboots, config tools) without root password, or to enter
45       user password on the first system login only.
46
47

ARGUMENTS

49       debug  turns on debugging
50
51       allow_nonroot_tty
52              gain  console  locks  and  change  permissions even if the TTY's
53              owner is not root.
54
55       handlersfile=filename
56              tells pam_console.so to get the list of the handlers from a dif‐
57              ferent file than /etc/security/console.handlers
58

EXAMPLE

60       /etc/pam.d/some-system-tool:
61       auth sufficient pam_rootok.so
62       auth required pam_console.so
63
64       /etc/pam.d/some-login-service:
65       auth sufficient pam_console.so
66       auth required pam_unix.so
67       session required pam_unix.so
68       session optional pam_console.so
69

FILES

71       /var/run/console/
72       /var/run/console/console.lock
73       /etc/security/console.apps
74       /etc/security/console.handlers
75

SECURITY NOTES

77       When pam_console "auth" is used for login services which provide possi‐
78       bility of remote login, it is necessary to make  sure  the  application
79       correctly sets PAM_RHOST variable, or to deny remote logins completely.
80       Currently, /bin/login (invoked from telnetd) and gdm is OK, others  may
81       be not.
82

SEE ALSO

84       console.perms(5)
85       console.apps(5)
86       console.handlers(5)
87       pam_console_apply(8)
88       /usr/share/doc/pam*/html/index.html
89

BUGS

91       Let's  hope  not,  but if you find any, please report them via the "Bug
92       Track" link at http://bugzilla.redhat.com/bugzilla/
93

AUTHORS

95       Michael K. Johnson <johnsonm@redhat.com>
96       Support of  console.handlers  and  other  improvements  by  Tomas  Mraz
97       <tmraz@redhat.com>
98
99
100
101Red Hat                            2005/10/4                    pam_console(8)
Impressum