Hi,

Finally we chose to use virtual console (/dev/vt/#) for PAM_TTY (audit
terminal id) and utmpx for both text console and X display:

    . text console sessions

    The PAM_TTY for text console login is set by login(1) to the
    virtual console (/dev/vt/#) on which the text console session is
    running, and the ut_line in utmpx is also set to "vt/#".

    For the system console, PAM_TTY is still /dev/console, and the
    ut_line in utmpx is still set to "console".

    . graphical X sessions

    The virtual console (/dev/vt/#) is associated with the Xorg
    server attached to the local console monitor, and there's a
    "XFree86_VT" atom property on the root window of Xorg to tell
    the virtual console number associated with Xorg. There's no such
    atom property with Xorg if Xorg isn't attached to the local
    console monitor and isn't running on a virtual console.

    The PAM_TTY and the ut_line in utmpx can be properly set by
    the display login manager (dtlogin/gdm) to the virtual console
    (/dev/vt/#) associated with Xorg.


Thanks,
Riny

Riny Qian wrote:
> Gary/Darren,
> 
> Attached are our thoughts on the PAM_TTY and utmpx with Virtual
> Console. For text console, it looks obvious. For graphical login,
> there're several possible methods to deal with the PAM_TTY
> and utmpx record. IMHO, I'd like to keep current state for Virtual
> Console. What's your opinion?
> 
> thanks,
> Riny
> 
> 
> ------------------------------------------------------------------------
> 
>         PAM_TTY and utmpx with Virtual Console
> 
> 1. Background
> 
>     Currently PAM_TTY is set to /dev/console by login(1) when a user
>     logs into the system console or by dtlogin(1X)/gdm(1) when a user
>     logs into the desktop system (JDS/CDE) on local monitor. And the
>     ut_line in utmpx record is set to "console" too.
> 
>     Virtual Console (PSARC/2006/591) project provides additional
>     console terminals besides the system console.
> 
>     The system/console-login SMF service is extended to provide
>     additional text console logins/sessions running on a virtual
>     console (/dev/vt/#).
> 
>     The Xorg server for graphic logins/sessions is also running on a
>     virtual console, and the user can configure to run multiple
>     graphic logins while each Xorg server runs on a separate virtual
>     console.
> 
> 2. PAM_TTY and utmpx with text console sessions
> 
>     The PAM_TTY for text console login is set by login(1) to the
>     virtual console (/dev/vt/#) on which the text console session is
>     running, and the ut_line in utmpx is also set to "vt/#".
> 
>     For the system console, PAM_TTY is still /dev/console, and the
>     ut_line in utmpx is still set to "console".
> 
> 3. PAM_TTY and utmpx with graphical sessions
> 
>     The virtual console (/dev/vt/#) is associated with the Xorg
>     server, and the display login manager (dtlogin/gdm) just knows
>     about display name. There seems several methods to deal with this
>     issue for PAM_TTY and utmpx:
> 
>     3.1 Keep current state
> 
>        So the PAM_TTY and the ut_line are still set to the system
>        console (/dev/console) for all graphical sessions.
> 
>     3.2 Enhance PAM_TTY and ut_line in utmpx to support display name.
>         
>         So the PAM_TTY and the ut_line in utmpx can be directly set
>         to the display name by the display login manager.
> 
>         With regards to the audit terminal ID, it can be extended to
> 
>         a) change "terminal ID" to "terminal name" in the audit
>            record. And the terminal name looks more straightforward
>            than the digital terminal ID.
> 
>         b) encode display name in a proper way to terminal ID, just
>            like for remote terminal ID:
>            ai.ai_termid.port = (peer->sin_port<<16 | sock->sin_port);
> 
>     3.3 Xorg provides an interface for the display login manager to
>         get the virtual console number associated with Xorg.
> 
>        So the PAM_TTY and the ut_line in utmpx can be properly set by
>        the display login manager (dtlogin/gdm) to the virtual console
>        (/dev/vt/#) associated with Xorg.
> 
>        The interface could be a virtual console usage file by Xorg.
>        Upon startup, Xorg records an entry like <Xorg_pid, display,
>        virtual console> in this file. And the display login manager
>        can read such information from this file.
> 

Reply via email to