[RFC Fedora 10] kill pam_console

Bill Nottingham notting at redhat.com
Wed Jul 9 21:04:51 UTC 2008


Chris Adams (cmadams at hiwaay.net) said: 
> If I just wanted all serial ports assigned (like in my pam_console bit
> above), I guess something like this would work?
> 
> #########################################################################
> <?xml version="1.0" encoding="UTF-8"?>
> <deviceinfo version="0.2">
>   <device>
>     <match key="serial.port" exists="true">
>       <append key="info.capabilities" type="strlist">access_control</append>
>       <merge key="access_control.file" type="copy_property">linux.device_file</merge>
>       <merge key="access_control.type" type="string">serial</merge>
>     </match>
>   </device>
> </deviceinfo>
> #########################################################################

Something along those lines, yes.

> I have another system where I have multiple USB-to-RS232 adapters; one
> is used for outbound terminal sessions (console user gets access) and
> one for a modem (no console access).  I differentiate between the two
> with a udev rule that adds a symlink (e.g. "term" and "modem") and then
> set the permissions with a pam_console match on the symlink.  Is it
> possible to match something set from udev like that (so I don't have two
> places to keep track of hardare serial numbers and such for matching)?

This is a two-stage process. For examples see:

 /usr/share/hal/fdi/information/10freedesktop/10-usb-pda.fdi

followed by:

 /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi

The first looks at varying information in HAL (such as the driver
being the ipaq driver, the USB vendor/product ids, and then adds
the 'pda' capability to the device. The second file then adds ACL
management to any device with 'pda' capabilities.

So, you'd want to use whatever criteria you're using in udev to
set a capability on the device, and then add the stanza to only
apply ACLs to devices with that capability. (Depending on the
criteria you're using in udev, you might be able to craft the
match without adding a property.)

Bill




More information about the fedora-devel-list mailing list