F21 System Wide Change: The securetty file is empty by default

quickbooks office quickbooks.office at gmail.com
Sat Apr 12 18:27:13 UTC 2014


On Thu, Apr 10, 2014 at 2:30 AM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote:
>>
>> This sounds entirely backwards, and I'd instead vote for removing
>> securetty from the PAM stacks we ship altogether. The concept is
>> outdated. It was useful in a time where the primary way to access a
>> server was via physically attached TTY devices. But that time is mostly
>> over...
>>
>> Nowadays the device names exposed by the kernel tend to be dynamically
>> assigned, they should not be assumed stable (with one exeption, classic
>> UART 16650 serial ports). Stable paths for these devices we add in via
>> symlinks these days, using /dev/*/by-path/, /dev/*/by-id/, -- as you
>> might know from disk devices. Now, the securetty logic is unable to
>> verify things using these symlinks, hence the entire concept is
>> flawed. It will use an unsteable device name instead, making it mostly
>> useless in hotplug scenarios.
>>
>> securetty is particularly annoying when we use containers. Tools like
>> "machinectl login" will dynamically spawn a getty for you on a pts
>> device in the container, but since pts is not listed in securetty you
>> cannot log in as root by default. And you cannot event add a wildcard
>> match of pts/* to it, to make this work nicely.
>
> Yep, the securetty file is one of only 2 remaining blockers for getting
> login working out of the box in containers. Removing securetty would be a
> great help there given the inability to wildcard pts/*. The other problem
> is of course the horrible pam audit module, which the kernel guys are
> hopefully working towards a solution for.
>
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-manager.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


-------



On Wed, Apr 9, 2014 at 2:50 PM, Matthew Miller <mattdm at fedoraproject.org> wrote:
> On Wed, Apr 09, 2014 at 11:39:19PM +0200, Lennart Poettering wrote:
>> To clarify this: while I believe dropping securetty from the default PAM
>> config is the right thing to do, I am not vulunteering to do it. But I'd
>> love to see somebody to pick this up!
>
> I looked, and I think this is just a change in util-linux package (not the
> source even; the pam files are packaged as separate sources) + a note in the
> release notes. It's not referenced in authconfig or anything.
>
> I guess maybe we'd also want to remove /etc/securetty to reduce confusion
> (since the normal semantics are that missing file = nothing blocked), that's
> in setup.
>
> But otherwise, I think it just comes down to filing an RFE and getting the
> util-linux maintainer on board. Probably best after this change proposal
> gets to FESCo -- at that point, I'll put this forward as a counter-proposal.
>
> --
> Matthew Miller    --   Fedora Project    --    <mattdm at fedoraproject.org>
>                                   "Tepid change for the somewhat better!"
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

----------------


Not that it matters much, but I support the counter-proposal based on above.


More information about the devel mailing list