Alan Coopersmith wrote:
> Darren J Moffat wrote:
>> This check is currently implemented in login(1) rather than in a
> 
> ...and in xdm, gdm, and dtlogin too...
> 
>> PAM module where it really belongs.
> 
> Yes! Please!
> 
>> Solution
>> --------
>> This case proposes the introduction of a pam_securetty(5) module
>> and the removal of the explicity check for CONSOLE= from login(1).
>> The OpenSolaris pam_securetty will perform the CONSOLE= check, so
>> that that interface is preserved.  
> 
> Will we be able to remove this check from the gui logins too?

I hope so, that is certainly where I'd like to get to.

> What will they need to do?   (For some reason, the community xdm
> & gdm sources passes the X display as the PAM_TTY value, so we'd
> either need to change them or add :0 to /etc/securetty.  From
> looking at the dtlogin code, it appears to pass /dev/console as
> PAM_TTY.)

Hmn I wonder how Linux and BSD distros that use gdm deal with this
one.   From what I remember of gdm it has its own explicit root
login check, is that still true ?

Since the PAM item is called PAM_TTY it seems strange to pass
anything other than a TTY device name in there.  I think the
problem with using :0 rather than /dev/console is that :0 isn't 
necessarily the system console it could be an Xvnc server or some other 
non local device server, right ?

So I think that xdm/gdm/dtlogin should all pass either /dev/console or 
the /dev/vt/# device they are actually using then pam_securetty works
exactly the same for gui and non gui login.


-- 
Darren J Moffat

Reply via email to