[systemd-devel] systemd-nspawn and pam_securetty

Lennart Poettering lennart at poettering.net
Sun Dec 8 15:46:02 PST 2013


On Sat, 07.12.13 18:25, Colin Guthrie (gmane at colin.guthr.ie) wrote:

> Hi,
> 
> So playing around a bit it seems our default pam config for pam.d/login
> uses a pam_securetty to only allow root logins via "secure" seats.
> 
> The file /etc/securetty are tty0-6 and vc/1-6
> 
> When "booting" with nspawn, the tty is "console" and thus I cannot login
> as root.
> 
> Can I ask people here a few questions:
> 
> 1. Is pam_securetty worth it?

Nope. It's really stupid.

> 2. If so, is adding "console" to the default /etc/securetty safe?

It's in there at least on Fedora. I am pretty sure the least all distros
should do is include it there. But actually they should just get rid of
entirely.

If you add console to securetty, then logging in directly on the nspawn
console will certainly work, but using "machinectl login" still won't. 

> 3. And finally, if we should not add "console", could nspawn do
> something clever with a temporary file + bind mount to temporarily allow
> console logins in the /etc/securetty without actually modifying it.

I don't think it's worth trying to bind mount it like that, since there
a couple of ioctls that leak the original name (ptsname()), and there
are cases where you need to look up the device in /sys. In fact, in
systemd we have some code to track down to which tty /dev/tty,
/dev/tty0, and /dev/console currently point, and playing games with
renaming things certainly conrtadicts the general goal of such code...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list