On Mar 11, 2012, at 7:47 AM, Armin K. wrote:
> On 03/11/2012 03:33 PM, Qrux wrote:
>>
>> On Mar 11, 2012, at 6:54 AM, Armin K. wrote:
>>
>>> On 03/11/2012 02:47 PM, Andrew Benton wrote:
>>>> On Sun, 11 Mar 2012 13:18:16 +0000
>>>> "Armin K."<kre...@email.com> wrote:
>>>>
>>>>> Also, I noticed there is pam_securetty module, and
>>>>> according to that module documentation, it looks for /etc/securetty file
>>>>> to check from which tty's is root user allowed to login.
>>>>
>>>> If a malicious hacker has physical access to the machine, what use are
>>>> shadow and pam? They can just boot from a USB stick and do what they
>>>> like. Or have I missed the point?
>>
>> Console access != Physical access. IP KVMs, etc.
>>
>>> According to your reply, shadow and linux pam are unnecesary. I am not
>>> talking about extreme situations. If you don't like it, don't use it.
>>> But something should be done for the sake of the book and it's readers.
>>> Either, make somewhere a note about creating the file, or comment out
>>> pam module so it doesn't print a warning or whatever.
>>
>> Are errors thrown even if pam_securetty.so is not on the stack? I think
>> pam_securetty is a module, and I thought modules were optional...
>>
>
> Yes, modules are optional. But pam_securetty in BLFS instructions is set
> as "required" in /etc/pam.d/{login,su}, so hence it prints a warning.
>
> login[353]: pam_securetty(login:auth): Couldn't open /etc/securetty: No
> such file or directory
So, yeah...If the book includes it and sets it to required, then...not having
that file seems to be in error.
How about commenting it out, perhaps with an accompanying note in the config
file and the book that if it's enabled, an /etc/securetty file would have to
exist? I just think having some ttys unavailable to a root user would be
"surprising", and some people might not know where to look. OTOH, if they're
familiar with PAM, they'll know how to configure whatever behavior they want.
>> Either way, it seems Armin was asking a question about correctness, because
>> he observed that not having the file is raising warnings--not if we should
>> leave software misconfigured because a physical break-in would render the
>> issue moot.
>>
> You deserve a medal for this reply.
LOL...I was just trying to clarify because it seemed your concern was
reasonable.
Q
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
