[CHANGE PROPOSAL] The securetty file is empty by default

Lennart Poettering mzerqung at 0pointer.de
Wed Apr 9 21:39:19 UTC 2014

On Wed, 09.04.14 22:20, Lennart Poettering (mzerqung at 0pointer.de) wrote:

> This sounds entirely backwards, and I'd instead vote for removing
> securetty from the PAM stacks we ship altogether. The concept is
> outdated. It was useful in a time where the primary way to access a
> server was via physically attached TTY devices. But that time is mostly
> over...
> Nowadays the device names exposed by the kernel tend to be dynamically
> assigned, they should not be assumed stable (with one exeption, classic
> UART 16650 serial ports). Stable paths for these devices we add in via
> symlinks these days, using /dev/*/by-path/, /dev/*/by-id/, -- as you
> might know from disk devices. Now, the securetty logic is unable to
> verify things using these symlinks, hence the entire concept is
> flawed. It will use an unsteable device name instead, making it mostly
> useless in hotplug scenarios.
> securetty is particularly annoying when we use containers. Tools like
> "machinectl login" will dynamically spawn a getty for you on a pts
> device in the container, but since pts is not listed in securetty you
> cannot log in as root by default. And you cannot event add a wildcard
> match of pts/* to it, to make this work nicely.
> Hence: please let's just remove securetty entirely from the default PAM
> stacks. It's annoying, it creates a false sense of security, it's a
> relict of a different time and not compatible with modern device
> management, hotplug, containers, and so on!

To clarify this: while I believe dropping securetty from the default PAM
config is the right thing to do, I am not vulunteering to do it. But I'd
love to see somebody to pick this up!


Lennart Poettering, Red Hat

More information about the devel mailing list