On Wed, 02.04.14 09:12, quickbooks office (quickbooks.off...@gmail.com) wrote:
> [CHANGE PROPOSAL] The securetty file is empty by default > > All the info has been sitting here @ > https://fedoraproject.org/wiki/Changes/securetty_file_is_empty_by_default > since March 20th. > > Did I mess something up? Or is there just a backlog? This sounds entirely backwards, and I'd instead vote for removing securetty from the PAM stacks we ship altogether. The concept is outdated. It was useful in a time where the primary way to access a server was via physically attached TTY devices. But that time is mostly over... Nowadays the device names exposed by the kernel tend to be dynamically assigned, they should not be assumed stable (with one exeption, classic UART 16650 serial ports). Stable paths for these devices we add in via symlinks these days, using /dev/*/by-path/, /dev/*/by-id/, -- as you might know from disk devices. Now, the securetty logic is unable to verify things using these symlinks, hence the entire concept is flawed. It will use an unsteable device name instead, making it mostly useless in hotplug scenarios. securetty is particularly annoying when we use containers. Tools like "machinectl login" will dynamically spawn a getty for you on a pts device in the container, but since pts is not listed in securetty you cannot log in as root by default. And you cannot event add a wildcard match of pts/* to it, to make this work nicely. Hence: please let's just remove securetty entirely from the default PAM stacks. It's annoying, it creates a false sense of security, it's a relict of a different time and not compatible with modern device management, hotplug, containers, and so on! Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
