Darren J Moffat schrieb:
> Alan Coopersmith wrote:

>> What will they need to do?   (For some reason, the community xdm
>> & gdm sources passes the X display as the PAM_TTY value, so we'd
>> either need to change them or add :0 to /etc/securetty.  From
>> looking at the dtlogin code, it appears to pass /dev/console as
>> PAM_TTY.)
> 
> Hmn I wonder how Linux and BSD distros that use gdm deal with this
> one.   From what I remember of gdm it has its own explicit root
> login check, is that still true ?
> 
> Since the PAM item is called PAM_TTY it seems strange to pass
> anything other than a TTY device name in there. 

Linux-PAM has officially (re)defined it that way - and of course that is 
what most community developers develop against:

"PAM_TTY: The terminal name: prefixed by /dev/ if it is a device file; 
for graphical, X-based, applications the value for this item should be 
the $DISPLAY variable."

See the Linux-PAM home-page or the Linux pam(3) man-page:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_set_item
http://www.die.net/doc/linux/man/man3/pam_get_item.3.html

> I think the
> problem with using :0 rather than /dev/console is that :0 isn't 
> necessarily the system console it could be an Xvnc server or some other 
> non local device server, right ?
> 
> So I think that xdm/gdm/dtlogin should all pass either /dev/console or 
> the /dev/vt/# device they are actually using then pam_securetty works
> exactly the same for gui and non gui login.
> 
> 

- J?rg

-- 
Joerg Barfurth           phone: +49 40 23646662 / x66662
Software Engineer        mailto:joerg.barfurth at sun.com
Desktop Technology       http://reserv.ireland/twiki/bin/view/Argus/
Thin Client Software     http://www.sun.com/software/sunray/
Sun Microsystems GmbH    http://www.sun.com/software/javadesktopsystem/



Reply via email to