Hello all, I have a question regarding the behavior of the PAM module, in particular pertaining to the default behavior wherein root login is completely disabled (even from the physical console) when the permissions on the PAM configuration files in `/etc/pam.d/` are incorrect (anything other than `600`).
It absolutely makes sense for the PAM mechanism to fail to initialize for safety reasons under these circumstances, and activities such as remote login, ssh authentication, su/sudo, etc. all make sense to be blocked. But given that the PAM configuration can be reset from the local machine in single user mode, is there a benefit to blocking root login at the tty when PAM fails to initialize? For reference, attempting to log in at the console when the permissions on `/etc/pam.d/` are incorrect gives the following error: ``` freebsd login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions freebsd login: pam_start(): system error ``` Just wondering if this behavior is intentional or if patches to allow login at the local console upon PAM failure would be welcomed. Thank you, Mahmoud Al-Qudsi NeoSmart Technologies _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
