home | login | register | DMCA | contacts | help | donate |      

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
А Б В Г Д Е Ж З И Й К Л М Н О П Р С Т У Ф Х Ц Ч Ш Щ Э Ю Я


my bookshelf | genres | recommend | rating of books | rating of authors | reviews | new | форум | collections | читалки | авторам | add



8.6.1.4. PAM and consolehelper

Fedora uses the consolehelper program to control access to a number of system administration tools. It's consolehelper that asks you for the root password when you use many of the configuration menu options such as System->Administration->Network (or, equivalently, run system-config-network from the shell).

If you examine the system-config-network file, you'll see that it is actually a symbolic link to consolehelper :

$ type system-config-network

system-config-network is /usr/bin/system-config-network

$ ls -l /usr/bin/system-config-network

lrwxrwxrwx 1 root root 13 Mar 20 14:57 /usr/bin/system-config-network -> consolehelper


When consolehelper is invoked with another command name, it uses the PAM configuration in /etc/pam.d with the same name as the command entered. If the user runs system-config-network , then the PAM configuration /etc/pam.d/system-config-network is invoked, which looks like this:

#%PAM-1.0

auth include config-util

account include config-util

session include config-util


This includes /etc/pam.d/config-util , which contains these lines:

#%PAM-1.0

auth sufficient pam_rootok.so

auth sufficient pam_timestamp.so

auth include system-auth

account required pam_permit.so

session required pam_permit.so

session optional pam_xauth.so

session optional pam_timestamp.so


The auth configuration will succeed if the current user is root ( pam_rootok.so ) or there is a recent timestamp file present ( pam_timestamp.so ). Failing that, the traditional Unix password authentication is performed (via the included system-auth file).

The timestamp file that pam_timestamp.so checks is created by the last line, which invokes the pam_timestamp.so module in session mode. In other words, if the user successfully authenticates to the system as root in order to use one tool, she is permitted to run other tools without typing in her password for the next few minutes.

Once the authentication has succeeded, consolehelper consults the file with the same name as the originally entered command in the directory /etc/security/console.apps ; in this example, the file would be /etc/security/console.apps/system-config-network , which contains:

USER=root

PROGRAM=/usr/sbin/system-config-network

SESSION=true


This instructs consolehelper to run /usr/sbin/system-config-network as the root user after performing the PAM session initialization (using the session lines in the PAM configuration file).

You can adjust the PAM configuration to suit your needs. For example, to allow regular users to run system-config-network without entering the root password, edit the auth line in /etc/pam.d/system-config-network to use the permissive pam_permit.so module instead of including the config-util file:

#%PAM-1.0

auth sufficient pam_permit.so

account include config-util

session include config-util


It's often convenient to enable the console userthe person physically logged on to the system keyboard and displayto run any of the programs controlled by consolehelper without entering the root password. To do this, edit /etc/pam.d/config-util and add this line:

#%PAM-1.0

auth sufficient pam_rootok.so

auth sufficient pam_timestamp.so

auth sufficient pam_console.so

auth include system-auth

account required pam_permit.so

session required pam_permit.so

session optional pam_xauth.so

session optional pam_timestamp.so

This will permit the current console owner to execute the configuration tools regardless of where he is executing them. For example, if the user joe is logged in on the console (either graphically or using a character-mode login), then joe can execute configuration tools both at the console and through a remote connection.


8.6.1.3. Automatic blacklisting of sites trying a brute-force password attack | Fedora Linux | 8.6.2. How Does It Work?