Alan Coopersmith wrote:
> Darren J Moffat wrote:
>> /dev/console could, I believe, be a serial line. That
>> means that the console could be in a physically separate
>> location to the usb attached keyboard/mouse and the monitor.
>> In that case it may not be desirable that root can login
>> on the /dev/vt# entries but we would accept it on
>> /dev/console since that is the serial line.
>> My concern is with CONSOLE=/dev/console suddenly starting
>> to mean /dev/console and all the allocated /dev/vt# entries.
> So should a new name be introduced that means /dev/console and
> all /dev/vt*'s? Say /dev/vt* or /dev/vc/* ?
>> Now in my opinion CONSOLE= is actually the wrong interface
>> here. On at least one Linux system I've seen they do
>> this check in a PAM module (where we should be doing it)
>> and it checks a file /etc/securetty.
> That's what BSD's use too isn't it?
NetBSD uses a PAM module of the same name as RHEL, pam_securetty.
but uses /etc/ttys and looks for the secure token.
>> What we do need to agree on though is if /dev/console
>> should continue to mean just /dev/console or should
>> it mean /dev/console and all /dev/vt# devices. Personally
>> I prefer that it say meaning just /dev/console and that
>> some other case fix login(1) and introduce the appropriate
>> PAM module to allow root to login on other devices.
> Moving it into PAM would reduce one of the reasons other
> code calls libcmd to read /etc/default/login (it's not just
> login - it's also xdm, gdm, & dtlogin), which is also a good
See my proposal in my other email message cc'd to this
list and sent to security-discuss.
Darren J Moffat