From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326 Description of problem: If an entry is added to /etc/security/console.perms to change the ownership of a directory to the console user, nothing happens when a user logs in at the console. This behaviour has deliberately been changed at some stage, so that if a directory is specified, the corresponding device is looked up in fstab and the ownership of the device file changed instead. In some circumstances, it would be useful to be able to change the ownership of an ordinary directory to the console user, for example /mnt so that only the console user may read mounted removable disks. I can't see that this would be a security loophole as directories would have to be specified in console.perms for their ownership to be changed in this way. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Edit /etc/security/console.perms to include the line: <console> 0500 /mnt 0755 root 2. As root, run /sbin/pam_console_apply Actual Results: Ownership of /mnt changes to the console user with permissions dr-x------ Expected Results: Onwership and permissions of /mnt are unchanged. Additional info:
Sorry, actual and expected results should be the other way round!
Created attachment 104065 [details] Proposed patch We should apply the chmod/chown to dir if it isn't found in fstab.
Actually the patch isn't right because it could cause unwanted changes. We would have to invent a way how to signal to pam_console that the user really wants to change directory permissions and not to look into fstab.
In the new pam from the Fedora Core Development you can use console.handlers for this purpose. The console.perms semantics shouldn't be changed.