24.6. Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do a bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin ln -s consolehelper foo
Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
Create a PAM configuration file for the foo service in /etc/pam.d/
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.
In the PAM configuration file, an application can be configured to use the pam_timestamp a successful authentication is cached for five minutes. During this time, any other application that is configured to use pam_timestamp— the user does not have to enter the root password again.
This module is included in the pam package. To enable this feature, the PAM configuration file in etc/pam.d/ must include the following lines:
auth sufficient /lib/security/pam_timestamp.so session optional /lib/security/pam_timestamp.so |
The first line that begins with auth should be after any other auth sufficient lines, and the line that begins with session should be after any other session optional lines.
If an application configured to use pam_timestamp
is successfully authenticated from the Main Menu
Button (on the Panel), the
The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication.
| Главная |