On Sat, 07.12.13 18:25, Colin Guthrie (gm...@colin.guthr.ie) wrote: > Hi, > > So playing around a bit it seems our default pam config for pam.d/login > uses a pam_securetty to only allow root logins via "secure" seats. > > The file /etc/securetty are tty0-6 and vc/1-6 > > When "booting" with nspawn, the tty is "console" and thus I cannot login > as root. > > Can I ask people here a few questions: > > 1. Is pam_securetty worth it?
Nope. It's really stupid. > 2. If so, is adding "console" to the default /etc/securetty safe? It's in there at least on Fedora. I am pretty sure the least all distros should do is include it there. But actually they should just get rid of entirely. If you add console to securetty, then logging in directly on the nspawn console will certainly work, but using "machinectl login" still won't. > 3. And finally, if we should not add "console", could nspawn do > something clever with a temporary file + bind mount to temporarily allow > console logins in the /etc/securetty without actually modifying it. I don't think it's worth trying to bind mount it like that, since there a couple of ioctls that leak the original name (ptsname()), and there are cases where you need to look up the device in /sys. In fact, in systemd we have some code to track down to which tty /dev/tty, /dev/tty0, and /dev/console currently point, and playing games with renaming things certainly conrtadicts the general goal of such code... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
