Hi Riku, On Mon, May 28, 2012 at 01:18:47PM +0300, Riku Voipio wrote: > The /etc/securetty file lists every tty known to mankind, but only > upto a randomly selected amout. And whenever a new serial driver is > added to the kernel, this file needs to be updated.
> Thus, in practice, the default setting is > Allow root login on random consoles, for example serial lines 0-5 > but serial lines 6-191 are considered dangerous as well as any new > serial drivers. > Checking against the default securetty is no additional security. > To be of any practical advantage, the system administrator has to > tailor the file to match their own serial port setup. > In it's current form securetty check is just a nuisance to people with > many serial ports or new serial drivers. > I suggest disabling pam_securetty check by default. The minority of users > who actually have consoles with different security levels need to adjust > the securetty file anyways, so they might adjust the pam_securetty setting > /etc/pam.d/login as well. > Alternatively I'd like to hear a realistic scenario where the current > default is useful And someone running a UNIX museum where serial ports 0-6 > are in staff room while rest are in public access does not count as one! The purpose of this file is to ensure that *only* local terminals are used for root logins. It's intended to prevent, e.g., sending the root password unencrypted over the network via telnet. So the security benefit isn't in preventing users from logging in as root over certain serial lines, it's in preventing users from logging in as root over *pseudo*ttys. The fact that we don't have a comprehensive list of ttys is a bug; but we should find a way to fix that by making the list more comprehensive rather than by removing the limit entirely. We probably want globbing support here. (I think I may recall seeing that a newer upstream version of Linux-PAM implements this.) BTW, why does every single serial driver need its own device names? I think that's a bug of its own. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
