Red Hat Bugzilla – Bug 88370
pam_console doesn't change ownership/permissions of directories
Last modified: 2007-04-18 12:52:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326
Description of problem:
If an entry is added to /etc/security/console.perms to change the ownership of a
directory to the console user, nothing happens when a user logs in at the
console. This behaviour has deliberately been changed at some stage, so that if
a directory is specified, the corresponding device is looked up in fstab and the
ownership of the device file changed instead.
In some circumstances, it would be useful to be able to change the ownership of
an ordinary directory to the console user, for example /mnt so that only the
console user may read mounted removable disks. I can't see that this would be a
security loophole as directories would have to be specified in console.perms for
their ownership to be changed in this way.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Edit /etc/security/console.perms to include the line:
<console> 0500 /mnt 0755 root
2. As root, run /sbin/pam_console_apply
Actual Results: Ownership of /mnt changes to the console user with permissions
Expected Results: Onwership and permissions of /mnt are unchanged.
Sorry, actual and expected results should be the other way round!
Created attachment 104065 [details]
We should apply the chmod/chown to dir if it isn't found in fstab.
Actually the patch isn't right because it could cause unwanted changes.
We would have to invent a way how to signal to pam_console that the
user really wants to change directory permissions and not to look into
In the new pam from the Fedora Core Development you can use console.handlers for
The console.perms semantics shouldn't be changed.