| 1 |
On Thu, Mar 31, 2005 at 03:17:06PM +0200, Diego Flameeyes Petten? wrote: |
| 2 |
> Anyway I was wondering what pam_console is used for, at the end. It's a way to |
| 3 |
> set up permissions when someone logins at a console. I would never use |
| 4 |
> something like that on a remote server, as anyone which could have a local |
| 5 |
> login can do anything? It also doesn't make sense on a recent user system |
| 6 |
> configured properly, as devfs/udev would take care of permissions, and users |
| 7 |
> needs only to set the group correctly (simpler than using pam_console |
| 8 |
> anyway). |
| 9 |
Since you asked, pam_console is extremely useful in shared computer lab |
| 10 |
settings. Take this scenario for example: |
| 11 |
- User A has logged into a lab workstation from home, and is working on |
| 12 |
his stuff. |
| 13 |
- User B physically goes and sits at the workstation, as he wants to |
| 14 |
copy his research materials to a floppy disk (but this applies to any |
| 15 |
other hardware as well; eg modems, cd writers, et al). |
| 16 |
- User A should never have access to the floppy disk, as he is not |
| 17 |
physically present. Only User B should have access, because he is |
| 18 |
physically present. |
| 19 |
- Using groups in this case (eg the floppy group) is not suitable, as |
| 20 |
both users would have to be in it, and then they could both access |
| 21 |
the floppy drive. |
| 22 |
- pam_console applies a set of permissions ONLY for users logged in at |
| 23 |
the local machine, for the duration of their login. So for the |
| 24 |
duration of User B's physical time at the machine, he has access to |
| 25 |
the hardware as allowed by pam_console. |
| 26 |
|
| 27 |
That said, pam_console is a pain to deal with under a few cases: |
| 28 |
- it only takes effect for the first concurrent login at a machine (eg |
| 29 |
the first virtual terminal in use, when none of the others are in |
| 30 |
use). |
| 31 |
- In some cases it doesn't correctly reset the permissions after the |
| 32 |
user. |
| 33 |
|
| 34 |
I'd say more than 99% of Gentoo users probably have no use for |
| 35 |
pam_console, but it still has a place in Gentoo. |
| 36 |
|
| 37 |
-- |
| 38 |
Robin Hugh Johnson |
| 39 |
E-Mail : robbat2@××××××××××××××.net |
| 40 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
| 41 |
ICQ# : 30269588 or 41961639 |
| 42 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives