On Wed, Jan 16, 2019 at 5:14 AM Martin Pitt <mpitt@redhat.com> wrote:
Hello all,

Stephen Gallagher [2019-01-01  9:14 -0500]:
> I had an idea this morning, however. Once Cockpit is started, the MOTD
> provides useful information to all users logging in, so that needs to stay.
> The “how to start” message could probably be restricted to showing only to
> those users who are known to be capable of starting it (generally, root and
> members of the “wheel” group).
>
> I need to test an idea (I’m on holiday today, back in the office tomorrow),
> but I think what we could do is set the ownership of the static MOTD to
> root:wheel and mode 0640. As long as pam_motd handles permission errors
> gracefully, it would only display that message to someone who met that
> criteria.

pam_motd should handle absent files gracefully, we already tested it with
dangling symlinks and such. However, it seems pam_motd does not actually run
with the user privileges, but with root's? I tested your idea of  making the
file inaccessible (root:wheel 640), but it doesn't work:

| $ ssh test@127.0.0.2
| test@127.0.0.2's password:
| Activate the web console with: systemctl enable --now cockpit.socket
|
| Last login: Wed Jan 16 05:11:16 2019 from 172.27.0.2
| [test@m1 ~]$ cat /etc/motd.d/cockpit
| cat: /etc/motd.d/cockpit: Permission denied


Oops, I thought I’d followed up on this. I tried it out and found the same, but I got distracted and must not have continued on this thread. Yeah, for some reason it looks like it runs before the permission drop in the open_session() phase. I was going to dive in deeper and then other priorities took hold, but I’ll put it on my list for today.