27.5. Enabling Console Access for Other Applications

27.5. Enabling Console Access for Other Applications

To make other applications accessible to console users, a bit more work is required.

First of all, console access only works for applications which reside in /sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, perform the following steps:

  1. Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:

    cd /usr/bin ln -s consolehelper foo
  2. Create the file /etc/security/console.apps/foo:

    touch /etc/security/console.apps/foo
  3. Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to copy the PAM configuration file of the halt service, and then modify the copy if you want to change the behavior:

    cp /etc/pam.d/halt /etc/pam.d/foo

Now, when /usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions.

In the PAM configuration file, an application can be configured to use the pam_timestamp module to remember (or cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.

This module is included in the pam package. To enable this feature, add the following lines to your PAM configuration file in etc/pam.d/:

auth include config-util account include config-util session include config-util

These lines can be copied from any of the /etc/pam.d/system-config-* configuration files. Note that these lines must be added below any other auth sufficientsession optional lines in your PAM configuration file.

If an application configured to use pam_timestamp is successfully authenticated from the Applications (the main menu on the panel), the icon is displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears.

The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.