Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux Console Linux Server

When an user (root or not) logs-in the system console, some additional features like combination keys (Ctrl+Alt+Delete) are supported. This chapter focuses on how to restrict/control the access to the system console and which operations are permitted on it.

Shutdown via Ctrl+Alt+Del

By default the file /etc/init/control-alt-delete.conf sets to reboot the system in response a Ctrl+Alt+Del key combination used at the console for ANY user :

cat /etc/init/control-alt-delete.conf

# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed. Usually used to shut down the machine.

start on control-alt-delete

exec /sbin/shutdown -r now "Control-Alt-Delete pressed"


* To complete disable this functionality comment the line 'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"' putting a hash mark (#) in front it.

* To only allow certain non-root users the right of shutdown via Ctrl+Alt+Del on the console substitute the line ?

Console Access

/etc/security/access.conf

This file controls the access to the console based on user/groups and depending from where the connection in done using the pam_access module. The format used in this file is three fields separated by a ":" character

permission ("+" access granted,"-" access denied) : user/group : origins

* For example, to deny console access to user kate :

1.- Activate the pam_access module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_access.so"

2.- Configure the access on /etc/security/access.conf :

$ echo "-:kate:ALL" >> /etc/security/access.conf

Now access on console to user kate is denied.

/etc/security/time.conf

This file uses the pam_time.so module to restrict access to the console based on user/groups and time access. The syntax of this file is

services;ttys;users;times

* For example, to allow access to the console to user kate only on Mondays from 12:00-14:00

1.- Activate the pam_time module on /etc/pam.d/login adding on the first 'account' line --> "account required pam_time.so"

2.- Configure the access on /etc/security/time.conf :

$ echo "login;*;kate;Mo1200-1400" >> /etc/security/time.conf

Now access on console to kate is allowed only on Mondays from 12:00 to 14:00

Console Program Access

Disabling console program access

In secured environments where you may not want to allow any user at the console run 'reboot', 'halt' or 'poweroff' commands the corresponding files in /etc/security/console.apps must be removed :

rm -rf /etc/security/console.apps/reboot
rm -rf /etc/security/console.apps/halt
rm -rf /etc/security/console.apps/poweroff

By default any user on console can execute 'reboot', 'halt' or 'poweroff' !!!

To disable access by users to any console program :

rm -rf /etc/security/console.apps/*

Enabling console access for any application via PAM

In order to control the access from console users to system programs in /sbin or /usr/sbin the consolehelper command, that authenticates console users via PAM, must be used :

1.- Create in /usr/bin directory a link from the application name to control to /usr/bin/consolehelper program. For example if the need to control the access to the /usr/sbin/pwck command to certain users :

$ cd /usr/bin
$ ln -s consolehelper pwck



2.- Create the file /etc/security/console.apps/aplication_name in order to allow the aplication_name execution on console. In our particular case :

$ touch /etc/security/console.apps/pwck


3.- Create the PAM configuration file for the application. One easy way to do it is copy /etc/pam.d/halt on /etc/pam.d/application_name :

$ cp /etc/pam.d/halt /etc/pam.d/pwck
Add in the second line --> 'auth          required          pam_listfile.so          onerr=fail          item=user          sense=allow          file=/etc/pwck.allow'

Users on /etc/pwck.allow (john) will be allowed to execute '/usr/bin/pwck', the rest (kate et al) will not be allowed

4.- Verify the result

Login at console as kate ( 'su - kate' is not a console login !!!)
kate-$ pwck

Nothing is done

Login at console as john ( 'su - john' is not a console login !!!)
john-$ pwck
user 'adm': directory '/var/adm' does not exist
...

Questions

1.- By default pam_access module is not activated on /etc/pam.d/login on RHEL6 system (true/false)

2.- By default pam_time module is activated on /etc/pam.d/login on RHEL6 system (true/false)

3.- By default any user can login on the console (true/false)

4.- By default any user on the console can reboot the system with 'Ctrl+Alt+Del' combination key (true/false)

5.- Which line must be added on /etc/security/access.conf in order to deny access to the tty5 virtual console to all users except 'john'. Suppose that pam_access module is activated in login process ?

6.- Which line must be added on /etc/security/time.conf in order to allow access to user kate only on Sundays ?

7.- Consolehelper command can be used to control the access from console to commands located standard on users home (true/false)

8.- To disable access from console users to any console command all files on /etc/security/console.apps/ directory must be removed ? (true/false)

9.- The access to the console to user root is always granted, it can not be controlled ? (true/false)

10.- In order to control which non-root users can execute the 'shutdown' command on console : ?
A - The file /etc/security/console.apps/shutdown must exist
B - On /usr/bin directory a link from shutdown to consolehelper command must exist
C - Both of them
D - None of them

Labs

1.- Disable shutdown from Ctrl+Alt+Del combination key. Using consolehelper allow to user kate (and root) to run 'shutdown' command on the console.

2.- Allow user 'john' to login only on virtual console 'tty3'.

3.- Allow user 'kate' to login on the console only on weekends : Saturday and Sunday .

-- This page is part of Linux Server online tutorial --