[RFC Fedora 10] kill pam_console
Chris Adams
cmadams at hiwaay.net
Wed Jul 9 20:57:15 UTC 2008
Once upon a time, Bill Nottingham <notting at redhat.com> said:
> Chris Adams (cmadams at hiwaay.net) said:
> > I am slow on the up-take here, but how do I use the "HAL-based ACL
> > support" to replace pam_console? For example, on a system with serial
> > ports used for accessing other consoles, I have a 10-serial.perms like:
> >
> > ########################################################################
> > <serial>=/dev/ttyS[0-9]* /dev/ttyUSB[0-9]*
> >
> > <console> 0660 <serial> 0660 root.uucp
> > ########################################################################
> >
> > How do I replace that?
>
> See /usr/share/hal/fdi/policy/10osvendor/00-thinkfinger.fdi for an
> example of something that does access control. What does lshal
> have for your serial devices?
One is old-style serial and one is USB:
#########################################################################
udi = '/org/freedesktop/Hal/devices/pnp_PNP0501_0_serial_platform_1'
info.capabilities = {'serial'} (string list)
info.category = 'serial' (string)
info.parent = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
info.product = '16550A-compatible COM port' (string)
info.udi = '/org/freedesktop/Hal/devices/pnp_PNP0501_0_serial_platform_1' (string)
linux.device_file = '/dev/ttyS1' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'tty' (string)
linux.sysfs_path = '/sys/class/tty/ttyS1' (string)
serial.device = '/dev/ttyS1' (string)
serial.originating_device = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
serial.physical_device = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
serial.port = 1 (0x1) (int)
serial.type = 'platform' (string)
udi = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0_serial_usb_0'
info.capabilities = {'serial'} (string list)
info.category = 'serial' (string)
info.parent = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
info.product = 'F5U109/F5U409 PDA Adapter' (string)
info.udi = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0_serial_usb_0' (string)
linux.device_file = '/dev/ttyUSB0' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'tty' (string)
linux.sysfs_path = '/sys/class/tty/ttyUSB0' (string)
serial.device = '/dev/ttyUSB0' (string)
serial.originating_device = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
serial.physical_device = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
serial.port = 0 (0x0) (int)
serial.type = 'usb' (string)
#########################################################################
If I just wanted all serial ports assigned (like in my pam_console bit
above), I guess something like this would work?
#########################################################################
<?xml version="1.0" encoding="UTF-8"?>
<deviceinfo version="0.2">
<device>
<match key="serial.port" exists="true">
<append key="info.capabilities" type="strlist">access_control</append>
<merge key="access_control.file" type="copy_property">linux.device_file</merge>
<merge key="access_control.type" type="string">serial</merge>
</match>
</device>
</deviceinfo>
#########################################################################
I have another system where I have multiple USB-to-RS232 adapters; one
is used for outbound terminal sessions (console user gets access) and
one for a modem (no console access). I differentiate between the two
with a udev rule that adds a symlink (e.g. "term" and "modem") and then
set the permissions with a pam_console match on the symlink. Is it
possible to match something set from udev like that (so I don't have two
places to keep track of hardare serial numbers and such for matching)?
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-devel-list
mailing list