On 05 Nov 2014 09:16, Geert Uytterhoeven wrote: > On Tue, Nov 4, 2014 at 6:31 PM, Mike Frysinger <vap...@gentoo.org> wrote: > > On 04 Nov 2014 10:04, Geert Uytterhoeven wrote: > >> Package: login > >> Version: 1:4.2-2+b1 > >> > >> /etc/securetty contains the following /dev/ttySC* entries: > >> > >> | # SCI serial port (SuperH) ports and SC26xx serial ports > >> | ttySC0 > >> | ttySC1 > >> | ttySC2 > >> | ttySC3 > >> > >> Some Renesas ARM-based SH-Mobile development boards have the > >> serial console on ttySC4 or ttySC6, or a secondary console on ttySC7. > >> At least one SH-based board has its serial console on ttySC5. > >> > >> Can you please add entries ttySC[4-9]? > > > > there's a lot of boards with a lot of different serial devices. i'm not > > sure > > every possibility should be hardcoded ? every distro is duplicating this > > work > > too and maintaining their own random full list. can't we do better here ? > > Unfortunately, due to the "only real 16550 serial ports can be called ttyS%u" > rule...
i'm aware (having written & merged some serial drivers myself). my point was to improve things by default in userland. > > perhaps the default should be to not have an /etc/securetty at all ? if the > > system is configured to launch getty on a tty, then in today's world, it > > means > > it's a local device right ? if you have physical access to something, and > > know > > It may still be connected to a modem, waiting for incoming calls... how many of these systems legitimately exist anymore ? we shouldn't be handicapping the majority of users for an extreme edge case. if those people want to set up securetty, they can create the file themselves. > > the root password, what exactly is this protecting the system from ? > > /etc/securetty is not meant to prevent privileged people from getting in, > but to protect the system against eavesdropping on unsecure lines > (.e.g. out-of-the-building serial cables and modem lines). how does securetty prevent that ? you can log in as non-root and then sudo. or try and leverage a known security vuln to escalate that non-root account. any perceived security provided by securetty is an illusion. -mike
signature.asc
Description: Digital signature