Alan Coopersmith wrote: > Darren J Moffat wrote: >> /dev/console could, I believe, be a serial line. That >> means that the console could be in a physically separate >> location to the usb attached keyboard/mouse and the monitor. >> >> In that case it may not be desirable that root can login >> on the /dev/vt# entries but we would accept it on >> /dev/console since that is the serial line. >> >> My concern is with CONSOLE=/dev/console suddenly starting >> to mean /dev/console and all the allocated /dev/vt# entries. > > So should a new name be introduced that means /dev/console and > all /dev/vt*'s? Say /dev/vt* or /dev/vc/* ? > >> Now in my opinion CONSOLE= is actually the wrong interface >> here. On at least one Linux system I've seen they do >> this check in a PAM module (where we should be doing it) >> and it checks a file /etc/securetty. > > That's what BSD's use too isn't it?
NetBSD uses a PAM module of the same name as RHEL, pam_securetty. but uses /etc/ttys and looks for the secure token. >> What we do need to agree on though is if /dev/console >> should continue to mean just /dev/console or should >> it mean /dev/console and all /dev/vt# devices. Personally >> I prefer that it say meaning just /dev/console and that >> some other case fix login(1) and introduce the appropriate >> PAM module to allow root to login on other devices. > > Moving it into PAM would reduce one of the reasons other > code calls libcmd to read /etc/default/login (it's not just > login - it's also xdm, gdm, & dtlogin), which is also a good > thing. See my proposal in my other email message cc'd to this list and sent to security-discuss. -- Darren J Moffat