Re: [gentoo-dev] PAM related: pam_console ?

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2177 bytes --]

On Thu, Mar 31, 2005 at 03:17:06PM +0200, Diego Flameeyes Petten? wrote:
> Anyway I was wondering what pam_console is used for, at the end. It's a way to 
> set up permissions when someone logins at a console. I would never use 
> something like that on a remote server, as anyone which could have a local 
> login can do anything? It also doesn't make sense on a recent user system 
> configured properly, as devfs/udev would take care of permissions, and users 
> needs only to set the group correctly (simpler than using pam_console 
> anyway).
Since you asked, pam_console is extremely useful in shared computer lab
settings. Take this scenario for example:
- User A has logged into a lab workstation from home, and is working on
  his stuff.
- User B physically goes and sits at the workstation, as he wants to
  copy his research materials to a floppy disk (but this applies to any
  other hardware as well; eg modems, cd writers, et al).
- User A should never have access to the floppy disk, as he is not
  physically present. Only User B should have access, because he is
  physically present.
- Using groups in this case (eg the floppy group) is not suitable, as
  both users would have to be in it, and then they could both access
  the floppy drive.
- pam_console applies a set of permissions ONLY for users logged in at
  the local machine, for the duration of their login. So for the
  duration of User B's physical time at the machine, he has access to
  the hardware as allowed by pam_console.

That said, pam_console is a pain to deal with under a few cases:
- it only takes effect for the first concurrent login at a machine (eg
  the first virtual terminal in use, when none of the others are in
  use).
- In some cases it doesn't correctly reset the permissions after the
  user.

I'd say more than 99% of Gentoo users probably have no use for
pam_console, but it still has a place in Gentoo.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 241 bytes --]