Khimenko Victor writes:
> In <200007182057.e6IKvGl03925@mobilix.ras.ucalgary.ca> Richard Gooch (rgooch@ras.ucalgary.ca) wrote:
> RG> Khimenko Victor writes:
> >> In <39709DC8.D460C273@wanadoo.fr> Martin Costabel (costabel@wanadoo.fr) wrote:
> >> > John Covici wrote:
> >> >>
> >> >> Hi. I was reading the readme in the 2.4.0-test2 kernel documentation
> >> >> tree for defs when I ran into the following mysterious passage
> >> >>
> >> >> /etc/securetty
> >> >> PAM (Pluggable Authentication Modules) is supposed to be a flexible
> >> >> mechanism for providing better user authentication and access to
> >> >> services. Unfortunately, it's also fragile, complex and undocumented
> >> >> (check out RedHat 6.1, and probably other distributions as well). PAM
> >> >> has problems with symbolic links. Append the following lines to your
> >> >> /etc/securetty file:
> >> >>
> >> >> 1
> >> >> 2
> >> >> 3
> >> >> 4
> >> >> 5
> >> >> 6
> >> >> 7
> >> >> 8
> >> >>
> >> >> What does this mean since /etc/security is a directory and where
> >> >> shhould these lines go anyway?
> >>
> >> > Isn't that obsolete anyway?
> >>
> >> It is.
> >>
> >> > The devfs documentation does not always follow the devfs API changes.
> >>
> >> True, but it's not the case.
> >>
> >> > In any case, if I want to login as root, I have to put
> >>
> >> > vc/1
> >> > vc/2
> >>
> >> > and so on into /etc/securetty.
> >>
> >> Correct. This is since my one-liner change was incorporated in
> >> linux-utils (NOT in devfs!) more then 8 months ago. So it can be
> >> true or false depending on version of linux-utils NOT depending on
> >> version of devfs. With old linux-utils you can write "0" in
> >> securetty and suddenly root login will be allowed from /dev/vc/0,
> >> /dev/pts/0, /dev/tts/0 - in fact <anything>/0 was allowed. Since it
> >> does not look good from security standpoint linux-utils were
> >> patched. Now you can specify what you REALLY want: vc/0 or tts/0 ...
>
> RG> So when did this patch go in?
>
> I remember time, not version. I had it applied for few months when someone
> said that this problem (/dev/pts/0 is treated the same as /dev/vc/0) is due to
> pam stupidity. I answered that pam is innocent - it was not supplied with
> enough info to begin with. As result of discussion I've sent patch to
> linux-utils maintainers and eventualy it was adopted (much to my surprise
> since it looks like a kludge to me).
>
> RG> I'd like to be able to refer to a specific version of util-linux rather
> RG> than just say "recent".
>
> Yes, I can understood this but problem is that I just not know when it was
> done exactly :-(
>
> RG> Also, what was the patch?
>
> Ah. This part I can say for sure:
>
> --- util-linux-2.9x/login-utils/login.c Sat Dec 11 17:00:45 1999
> +++ util-linux-2.9x/login-utils/login.c Sat Dec 11 17:03:16 1999
> @@ -480,6 +480,6 @@
> tcsetattr(0,TCSAFLUSH,&tt);
> }
>
> - if ((tty = rindex(ttyn, '/')))
> - ++tty;
> + if (strncmp(ttyn, "/dev/", 5) == 0)
> + tty = ttyn+5;
> else
Hm. util-linux-2.10f doesn't have this, 2.10h does. 2.10g isn't on
kernel.org.
However, you really should have swapped to index(3) instead (or
better, strchr(3) which is POSIX). Building an assumption on /dev
isn't very good either. It still wouldn't be 100% correct (it'll fall
over if your device nodes/devfs mountpoint are deeper), but it would
be better.
Regards,
Richard....
Permanent: rgooch@atnf.csiro.au
Current: rgooch@ras.ucalgary.ca
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:11 EST