On Mon, May 28, 2012 at 09:17:15PM -0700, Steve Langasek wrote: > The purpose of this file is to ensure that *only* local terminals are used > for root logins. It's intended to prevent, e.g., sending the root password > unencrypted over the network via telnet.
-snip- user@ammo:~$ telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Ubuntu 12.04 LTS ammo login: root Login incorrect ammo login: user Password: Last login: Tue May 29 09:11:05 EEST 2012 from localhost on pts/1 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64) * Documentation: https://help.ubuntu.com/ No mail. user@ammo:~$ su - Password: root@ammo:~# -snip- Now that doesn't look like a very succesful protection for people who want to shoot themself to feet.. > So the security benefit isn't in preventing users from logging in as root > over certain serial lines, it's in preventing users from logging in as root > over *pseudo*ttys. It is unix museumware from time when people didn't use ssh and su/sudo all time. http://tinyurl.com/cqtxgap The venn diagramm of people who have telnetd, would use it for root *and* do not know su or sudo is quite nonexisting. Meanwhile, the need to add lines to securetty happens every now and then. > The fact that we don't have a comprehensive list of ttys > is a bug; but we should find a way to fix that by making the list more > comprehensive rather than by removing the limit entirely. We probably want > globbing support here. (I think I may recall seeing that a newer upstream > version of Linux-PAM implements this.) It would become a long file for checking something that most users have no use for. globbing would help, but with the price of extra code running during a security-critical code phase. I don't think improving a check that was designed for a different age make much sense. Alternative could be to list the pseudetty's, since people don't add new pseudotty drivers all the time. > BTW, why does every single serial driver need its own device names? I think > that's a bug of its own. Historically they did not. Then someone decided everything being ttyS* was ugly and the current way is cleaner. I agree the kernel developers have gone bonkers (also with the unstable network interface names), but that's just how it is. Riku -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
