14.6. PAM and Device Ownership
Red Hat Linux allows the first user to log in on the physical console of the
machine the ability to manipulate some devices and perform some tasks
normally reserved for the root user. This is controlled by a PAM module
14.6.1. Device Ownership
When a user logs into a machine under Red Hat Linux, the
pam_console.so module is called by
login or the graphical login programs,
gdm and kdm. If
this user is the first user to log in at the physical console —
called the console user — the module
grants the user ownership of a variety of devices normally owned by
root. The console user owns these devices until the last local session
for that user ends. Once the user has logged out, ownership of the
devices reverts back to the root user.
The devices affected include, but are not limited to, sound cards,
diskette drives, and CD-ROM drives.
This allows a local user to manipulate these devices without attaining
root, thus simplifying common tasks for the console user.
By modifying the file
/etc/security/console.perms, the administrator
can edit the list of devices controlled by
14.6.2. Application Access
The console user is also allowed access to certain programs with a file
bearing the command name in the
One notable group of applications the console user has access to are
three programs which shut off or reboot the system. These are:
Because these are PAM-aware applications, they call the
pam_console.so module as a requirement for use.
For more information, refer to the man pages for