[CHANGE PROPOSAL] The securetty file is empty by default

Lennart Poettering mzerqung at 0pointer.de
Wed Apr 9 20:20:36 UTC 2014

On Wed, 02.04.14 09:12, quickbooks office (quickbooks.office at gmail.com) wrote:

> [CHANGE PROPOSAL] The securetty file is empty by default
> All the info has been sitting here @
> https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default
> since March 20th.
> Did I mess something up? Or is there just a backlog?

This sounds entirely backwards, and I'd instead vote for removing
securetty from the PAM stacks we ship altogether. The concept is
outdated. It was useful in a time where the primary way to access a
server was via physically attached TTY devices. But that time is mostly

Nowadays the device names exposed by the kernel tend to be dynamically
assigned, they should not be assumed stable (with one exeption, classic
UART 16650 serial ports). Stable paths for these devices we add in via
symlinks these days, using /dev/*/by-path/, /dev/*/by-id/, -- as you
might know from disk devices. Now, the securetty logic is unable to
verify things using these symlinks, hence the entire concept is
flawed. It will use an unsteable device name instead, making it mostly
useless in hotplug scenarios.

securetty is particularly annoying when we use containers. Tools like
"machinectl login" will dynamically spawn a getty for you on a pts
device in the container, but since pts is not listed in securetty you
cannot log in as root by default. And you cannot event add a wildcard
match of pts/* to it, to make this work nicely.

Hence: please let's just remove securetty entirely from the default PAM
stacks. It's annoying, it creates a false sense of security, it's a
relict of a different time and not compatible with modern device
management, hotplug, containers, and so on!


Lennart Poettering, Red Hat

More information about the devel mailing list