When normal (non-root) users log in to a computer locally, they are given two types of special permission; they can run certain programs that they would not otherwise be able to run, and they can access certain files (normally special device files used to access diskettes, CD-ROMS, etc.) that they would not otherwise be able to access.

Since there are multiple consoles on a single computer, and multiple users can be logged into the computer locally at the same time, one of the users has to ``win'' the fight to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.

In contrast, every user who logs in on the console will be allowed to run programs normally restricted to the root user. By default, those programs will ask for the user's password. This will be done graphically if X is running which makes it possible to make these actions menu items from within a graphical user interface. As shipped, the console-accessible programs are shutdown, halt, and reboot.

Disabling Console Program Access

In order to disable all access by console users to console programs, you should run the command:

rm -f /etc/security/console.apps/*

Disabling All Console Access

cd /etc/pam.d
for i in * ; do
  sed '/[#].*pamconsole.so/s//#/' < i > foo  mv foo i
done

Defining the Console

<console>=tty[0-9][0-9]* :[0-9]
.[0-9] :[0-9]

When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0; or a device like /dev/tty0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:

<console>=tty[0-9][0-9]* :[0-9]
.[0-9] :[0-9] /dev/ttyS1

Making Files Console-Accessible

<cdrom>=/dev/cdrom

You can also add your own lines:

<scanner>=/dev/sga

(of course, make sure that /dev/sga is really your scanner and not, say, your hard drive).

That's the first part. The second part is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to

<console> 0600 <cdrom>  0600 root

and add a line like

<console> 0600 <scanner> 0600 root

Then when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.

Enabling Console Access for Other Applications

If you wish to make other applications besides shutdown, reboot, and halt accessible to console users, you will have to do just a little bit more work.

First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there.

Create a link from the name of your application to the /usr/bin/consolehelper application:

cd /usr/bin
ln -s consolehelper foo

Create the file /etc/security/console.apps/foo

touch /etc/security/console.apps/foo

Create a PAM configuration file for the foo service in /etc/pam.d/. We suggest that you start with a copy of the shutdown service, then change it if you want to change the behavior:

cp /etc/pam.d/shutdown /etc/pam.d/foo

Now, when you run /usr/bin/foo, it will call consolehelper, which with the help of
/usr/sbin/userhelper will authenticate the user (asking for the users password if /etc/pam.d/foo is a copy of /etc/pam.d/shutdown; otherwise, it will do precisely what is specified in
/etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.