Ticket #1 (closed enhancement: fixed)

Opened 3 years ago

Last modified 3 years ago

allow root login on devices from /sys/class/tty/console/active

Reported by: sharkcz Owned by: pam-developers@…
Priority: major Component: modules
Version: Keywords:
Cc: Blocked By:
Blocking:

Description

root should be allowed to login on devices from "/sys/class/tty/console/active". On s390x the kernel presents various consoles (z/VM console, HMC console for LPARs) as /dev/ttyS? and with the recent switch from upstart to systemd the init process doesn't call /sbin/securetty to add the serial line device to /etc/securetty when getty is started. The /sys/class/tty/console/active file was added in this commit - http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fbc92a3455577ab17615cbcb91826399061bd789

From a discussion with Lennart on #systemd:

<sharkcz> we have a problem in F-15 on system with main console on ttyS0 where
root can't log in because ttyS0 is not /etc/securetty, upstart (or better
upstart job in initscripts) took care of that earlier
<mezcalero> sharkcz: pam_securetty has been updated to check console= from the
kernel cmdline
<mezcalero> and allow that too
<sharkcz> ah, but on s390x the console= is not used and the kernel uses ttyS0
by default
<mezcalero> sharkcz: hmm, i guess we should update pam_securetty to check
/sys/class/tty/console/active instead of the cmdline
<mezcalero> that should work for you, too, then, right?
<sharkcz> mezcalero: yep, looks like it has the correct value
<mezcalero> sharkcz: it's actually a list of values
<mezcalero> sharkcz: because you can pass console= multiple times on the kernel
cmdline
<mezcalero> sharkcz: anyway, such a fix should be simple to do
<mezcalero> sharkcz: for compat with older kernels the current cmdline check
probably should stay in pam_securetty
<mezcalero> but the new check used if /sys/class/tty/console/active can be
opened}}}

For Fedora bug please see https://bugzilla.redhat.com/show_bug.cgi?id=704442

Attachments

pam-1.1.3-securetty-console-active.patch (2.3 KB) - added by sharkcz 3 years ago.

Change History

Changed 3 years ago by sharkcz

comment:1 Changed 3 years ago by tmraz

  • Owner set to pam-developers@…

comment:2 Changed 3 years ago by tmraz

  • Status changed from new to closed
  • Resolution set to fixed

comment:3 Changed 3 years ago by tmraz

BTW, I've modified the patch and also made it disabled when noconsole option is specified.

Note: See TracTickets for help on using tickets.