Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@××××××××××××.org
Subject: Re: [gentoo-dev] PAM related: pam_console ?
Date: Thu, 31 Mar 2005 20:55:18
In Reply to: [gentoo-dev] PAM related: pam_console ? by "Diego \\\"Flameeyes\\\" Pettenò"
1 On Thu, Mar 31, 2005 at 03:17:06PM +0200, Diego Flameeyes Petten? wrote:
2 > Anyway I was wondering what pam_console is used for, at the end. It's a way to
3 > set up permissions when someone logins at a console. I would never use
4 > something like that on a remote server, as anyone which could have a local
5 > login can do anything? It also doesn't make sense on a recent user system
6 > configured properly, as devfs/udev would take care of permissions, and users
7 > needs only to set the group correctly (simpler than using pam_console
8 > anyway).
9 Since you asked, pam_console is extremely useful in shared computer lab
10 settings. Take this scenario for example:
11 - User A has logged into a lab workstation from home, and is working on
12 his stuff.
13 - User B physically goes and sits at the workstation, as he wants to
14 copy his research materials to a floppy disk (but this applies to any
15 other hardware as well; eg modems, cd writers, et al).
16 - User A should never have access to the floppy disk, as he is not
17 physically present. Only User B should have access, because he is
18 physically present.
19 - Using groups in this case (eg the floppy group) is not suitable, as
20 both users would have to be in it, and then they could both access
21 the floppy drive.
22 - pam_console applies a set of permissions ONLY for users logged in at
23 the local machine, for the duration of their login. So for the
24 duration of User B's physical time at the machine, he has access to
25 the hardware as allowed by pam_console.
27 That said, pam_console is a pain to deal with under a few cases:
28 - it only takes effect for the first concurrent login at a machine (eg
29 the first virtual terminal in use, when none of the others are in
30 use).
31 - In some cases it doesn't correctly reset the permissions after the
32 user.
34 I'd say more than 99% of Gentoo users probably have no use for
35 pam_console, but it still has a place in Gentoo.
37 --
38 Robin Hugh Johnson
39 E-Mail : robbat2@××××××××××××××.net
40 Home Page :
41 ICQ# : 30269588 or 41961639
42 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85


Subject Author
Re: [gentoo-dev] PAM related: pam_console ? "Diego \\\"Flameeyes\\\" Pettenò" <flameeyes@×××××××××××××.de>