Alan Coopersmith wrote:
> Darren J Moffat wrote:
>> This check is currently implemented in login(1) rather than in a
> ...and in xdm, gdm, and dtlogin too...
>> PAM module where it really belongs.
> Yes! Please!
>> This case proposes the introduction of a pam_securetty(5) module
>> and the removal of the explicity check for CONSOLE= from login(1).
>> The OpenSolaris pam_securetty will perform the CONSOLE= check, so
>> that that interface is preserved.
> Will we be able to remove this check from the gui logins too?
I hope so, that is certainly where I'd like to get to.
> What will they need to do? (For some reason, the community xdm
> & gdm sources passes the X display as the PAM_TTY value, so we'd
> either need to change them or add :0 to /etc/securetty. From
> looking at the dtlogin code, it appears to pass /dev/console as
Hmn I wonder how Linux and BSD distros that use gdm deal with this
one. From what I remember of gdm it has its own explicit root
login check, is that still true ?
Since the PAM item is called PAM_TTY it seems strange to pass
anything other than a TTY device name in there. I think the
problem with using :0 rather than /dev/console is that :0 isn't
necessarily the system console it could be an Xvnc server or some other
non local device server, right ?
So I think that xdm/gdm/dtlogin should all pass either /dev/console or
the /dev/vt/# device they are actually using then pam_securetty works
exactly the same for gui and non gui login.
Darren J Moffat