On Thu, Apr 10, 2014 at 2:30 AM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote: >> >> This sounds entirely backwards, and I'd instead vote for removing >> securetty from the PAM stacks we ship altogether. The concept is >> outdated. It was useful in a time where the primary way to access a >> server was via physically attached TTY devices. But that time is mostly >> over... >> >> Nowadays the device names exposed by the kernel tend to be dynamically >> assigned, they should not be assumed stable (with one exeption, classic >> UART 16650 serial ports). Stable paths for these devices we add in via >> symlinks these days, using /dev/*/by-path/, /dev/*/by-id/, -- as you >> might know from disk devices. Now, the securetty logic is unable to >> verify things using these symlinks, hence the entire concept is >> flawed. It will use an unsteable device name instead, making it mostly >> useless in hotplug scenarios. >> >> securetty is particularly annoying when we use containers. Tools like >> "machinectl login" will dynamically spawn a getty for you on a pts >> device in the container, but since pts is not listed in securetty you >> cannot log in as root by default. And you cannot event add a wildcard >> match of pts/* to it, to make this work nicely. > > Yep, the securetty file is one of only 2 remaining blockers for getting > login working out of the box in containers. Removing securetty would be a > great help there given the inability to wildcard pts/*. The other problem > is of course the horrible pam audit module, which the kernel guys are > hopefully working towards a solution for. > > Regards, > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- http://virt-manager.org :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct ------- On Wed, Apr 9, 2014 at 2:50 PM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Wed, Apr 09, 2014 at 11:39:19PM +0200, Lennart Poettering wrote: >> To clarify this: while I believe dropping securetty from the default PAM >> config is the right thing to do, I am not vulunteering to do it. But I'd >> love to see somebody to pick this up! > > I looked, and I think this is just a change in util-linux package (not the > source even; the pam files are packaged as separate sources) + a note in the > release notes. It's not referenced in authconfig or anything. > > I guess maybe we'd also want to remove /etc/securetty to reduce confusion > (since the normal semantics are that missing file = nothing blocked), that's > in setup. > > But otherwise, I think it just comes down to filing an RFE and getting the > util-linux maintainer on board. Probably best after this change proposal > gets to FESCo -- at that point, I'll put this forward as a counter-proposal. > > -- > Matthew Miller -- Fedora Project -- <mattdm@xxxxxxxxxxxxxxxxx> > "Tepid change for the somewhat better!" > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct ---------------- Not that it matters much, but I support the counter-proposal based on above. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
