At weekend I tried shared library that implements pam_console for single
file via CFUNCTION interface. It works in the sense it does not crash
and it changes permissions (I could try only ide-scsi CD-ROM and sound
as these are almost the only devices I can remove/add drivers for).
Implementation is dirty as it was just proof of concept - I copied
pam_console_apply.c over, removed options processing and added two
functions to (re-)set permissions on single file modeled after
set_permissions and reset_permissions.
Some notes
- console.perms has to be extended of course. If we apply pam_console on
REGISTER then /dev/cdrom* are never registered - but
/dev/{ide,scsi}/*/*/*/*/cd are. It is possible to use /dev/cdroms/* BUT
for the current symlink bug in devfs - it resulted in lockup at least
once. Besides, I am not sure in which order they get registered, so I'd
prefer full unambiguous path. The same applies to generic SCSI of
course.
- pam_console_apply is using "tty0" for a console name. It means, if
user logged in on X, there are chances some devices (belonging to X
console class) will be scipped. When it is used as pam_console.so, it
knows true console name from PAM; it is possible that pam_console.so
saves console name after successful logon for later use and removes it
on logout
- of course, there is a possibility of stray console lock files after
crash so it needs to be cleaned upo after /var is mounted rw but before
pam)_console_aply is called.
Currently I have it as separate library; I wonder if it possible to just
dlopen executable (I think about pam_console_apply).
If there is any interest I could send just current diff. It is possible
to optimize a bit (by avoiding globbing when we know there is just a
single file and not a pattern). There does not seem to be any memory
leak for all I can tell.
-andrej
