On Wed, Jan 16, 2019 at 5:54 AM Stephen Gallagher <sgallagh(a)redhat.com> wrote:
On Wed, Jan 16, 2019 at 5:14 AM Martin Pitt <mpitt(a)redhat.com> wrote:
>
> Hello all,
>
> Stephen Gallagher [2019-01-01 9:14 -0500]:
> > I had an idea this morning, however. Once Cockpit is started, the MOTD
> > provides useful information to all users logging in, so that needs to stay.
> > The “how to start” message could probably be restricted to showing only to
> > those users who are known to be capable of starting it (generally, root and
> > members of the “wheel” group).
> >
> > I need to test an idea (I’m on holiday today, back in the office tomorrow),
> > but I think what we could do is set the ownership of the static MOTD to
> > root:wheel and mode 0640. As long as pam_motd handles permission errors
> > gracefully, it would only display that message to someone who met that
> > criteria.
>
> pam_motd should handle absent files gracefully, we already tested it with
> dangling symlinks and such. However, it seems pam_motd does not actually run
> with the user privileges, but with root's? I tested your ide, a of making the
> file inaccessible (root:wheel 640), but it doesn't work:
>
OK, so while pam_open_session() runs with UID == the user logging in,
it *also* runs with EUID (effective UID) of the application that
called it. This is so that pam_open_session() can do things like
creating or mounting the user's home directory.
So, we cannot rely on basic permissions to restrict the display of the
MOTD (without modifying pam_motd sources). I guess that would have
been too easy...