Hello all,
Stephen Gallagher [2019-01-01 9:14 -0500]:
I had an idea this morning, however. Once Cockpit is started, the MOTD provides useful information to all users logging in, so that needs to stay. The “how to start” message could probably be restricted to showing only to those users who are known to be capable of starting it (generally, root and members of the “wheel” group).
I need to test an idea (I’m on holiday today, back in the office tomorrow), but I think what we could do is set the ownership of the static MOTD to root:wheel and mode 0640. As long as pam_motd handles permission errors gracefully, it would only display that message to someone who met that criteria.
pam_motd should handle absent files gracefully, we already tested it with dangling symlinks and such. However, it seems pam_motd does not actually run with the user privileges, but with root's? I tested your idea of making the file inaccessible (root:wheel 640), but it doesn't work:
| $ ssh test@127.0.0.2 | test@127.0.0.2's password: | Activate the web console with: systemctl enable --now cockpit.socket | | Last login: Wed Jan 16 05:11:16 2019 from 172.27.0.2 | [test@m1 ~]$ cat /etc/motd.d/cockpit | cat: /etc/motd.d/cockpit: Permission denied
Martin