[CHANGE PROPOSAL] The securetty file is empty by default

Chris Adams linux at cmadams.net
Wed Apr 9 21:34:16 UTC 2014

Once upon a time, Paul Wouters <paul at nohats.ca> said:
> On Wed, 9 Apr 2014, Chris Adams wrote:
> >Once upon a time, Matthew Miller <mattdm at fedoraproject.org> said:
> >>On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote:
> >>[technical reasoning snipped]
> >>>Hence: please let's just remove securetty entirely from the default PAM
> >>>stacks. It's annoying, it creates a false sense of security, it's a
> >>>relict of a different time and not compatible with modern device
> >>>management, hotplug, containers, and so on!
> >>
> >>That makes sense to me. And unlike tcpwrappers, it's just a runtime config
> >>file change to put back for cases where it's wanted.
> >
> >Yeah, I think that's a decent way forward.  AFAIK the securetty thing
> >right now only affects console terminals
> As long as it does not lock out root from kvm/uml console/serial logins.

The proposal is to remove the securetty thing, which would remove any
TTY check.  root would be allowed on any TTY by default.
Chris Adams <linux at cmadams.net>

More information about the devel mailing list