On Wed, Jan 16, 2019 at 5:14 AM Martin Pitt <mpitt(a)redhat.com> wrote:
Hello all,
Stephen Gallagher [2019-01-01 9:14 -0500]:
> I had an idea this morning, however. Once Cockpit is started, the MOTD
> provides useful information to all users logging in, so that needs to
stay.
> The “how to start” message could probably be restricted to showing only
to
> those users who are known to be capable of starting it (generally, root
and
> members of the “wheel” group).
>
> I need to test an idea (I’m on holiday today, back in the office
tomorrow),
> but I think what we could do is set the ownership of the static MOTD to
> root:wheel and mode 0640. As long as pam_motd handles permission errors
> gracefully, it would only display that message to someone who met that
> criteria.
pam_motd should handle absent files gracefully, we already tested it with
dangling symlinks and such. However, it seems pam_motd does not actually
run
with the user privileges, but with root's? I tested your idea of making
the
file inaccessible (root:wheel 640), but it doesn't work:
| $ ssh test(a)127.0.0.2
| test(a)127.0.0.2's password:
| Activate the web console with: systemctl enable --now cockpit.socket
|
| Last login: Wed Jan 16 05:11:16 2019 from 172.27.0.2
| [test@m1 ~]$ cat /etc/motd.d/cockpit
| cat: /etc/motd.d/cockpit: Permission denied
Oops, I thought I’d followed up on this. I tried it out and found the same,
but I got distracted and must not have continued on this thread. Yeah, for
some reason it looks like it runs before the permission drop in the
open_session() phase. I was going to dive in deeper and then other
priorities took hold, but I’ll put it on my list for today.