Alan Coopersmith wrote: > Darren J Moffat wrote: >> This check is currently implemented in login(1) rather than in a > > ...and in xdm, gdm, and dtlogin too... > >> PAM module where it really belongs. > > Yes! Please! > >> Solution >> -------- >> This case proposes the introduction of a pam_securetty(5) module >> and the removal of the explicity check for CONSOLE= from login(1). >> The OpenSolaris pam_securetty will perform the CONSOLE= check, so >> that that interface is preserved. > > Will we be able to remove this check from the gui logins too?
I hope so, that is certainly where I'd like to get to. > What will they need to do? (For some reason, the community xdm > & gdm sources passes the X display as the PAM_TTY value, so we'd > either need to change them or add :0 to /etc/securetty. From > looking at the dtlogin code, it appears to pass /dev/console as > PAM_TTY.) Hmn I wonder how Linux and BSD distros that use gdm deal with this one. From what I remember of gdm it has its own explicit root login check, is that still true ? Since the PAM item is called PAM_TTY it seems strange to pass anything other than a TTY device name in there. I think the problem with using :0 rather than /dev/console is that :0 isn't necessarily the system console it could be an Xvnc server or some other non local device server, right ? So I think that xdm/gdm/dtlogin should all pass either /dev/console or the /dev/vt/# device they are actually using then pam_securetty works exactly the same for gui and non gui login. -- Darren J Moffat