Darren J Moffat schrieb: > Alan Coopersmith wrote:
>> What will they need to do? (For some reason, the community xdm >> & gdm sources passes the X display as the PAM_TTY value, so we'd >> either need to change them or add :0 to /etc/securetty. From >> looking at the dtlogin code, it appears to pass /dev/console as >> PAM_TTY.) > > Hmn I wonder how Linux and BSD distros that use gdm deal with this > one. From what I remember of gdm it has its own explicit root > login check, is that still true ? > > Since the PAM item is called PAM_TTY it seems strange to pass > anything other than a TTY device name in there. Linux-PAM has officially (re)defined it that way - and of course that is what most community developers develop against: "PAM_TTY: The terminal name: prefixed by /dev/ if it is a device file; for graphical, X-based, applications the value for this item should be the $DISPLAY variable." See the Linux-PAM home-page or the Linux pam(3) man-page: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_set_item http://www.die.net/doc/linux/man/man3/pam_get_item.3.html > I think the > problem with using :0 rather than /dev/console is that :0 isn't > necessarily the system console it could be an Xvnc server or some other > non local device server, right ? > > So I think that xdm/gdm/dtlogin should all pass either /dev/console or > the /dev/vt/# device they are actually using then pam_securetty works > exactly the same for gui and non gui login. > > - J?rg -- Joerg Barfurth phone: +49 40 23646662 / x66662 Software Engineer mailto:joerg.barfurth at sun.com Desktop Technology http://reserv.ireland/twiki/bin/view/Argus/ Thin Client Software http://www.sun.com/software/sunray/ Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/
