Bug 1090638

Summary: remove pam_securetty.so from .pamd files
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact: Eric Christensen <sparks>
Priority: unspecified    
Version: rawhideCC: jonathan, kzak, mluscon, moez.roy, ovasik, sparks
Target Milestone: ---Flags: mattdm: fedora_requires_release_note+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: util-linux-2.24.2-3.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-12 08:57:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2014-04-23 20:05:57 UTC 
See background at https://fedorahosted.org/fesco/ticket/1298#comment:1 and discussion thread here: https://lists.fedoraproject.org/pipermail/devel/2014-April/197712.html

In short, securetty doesn't scale well to the modern world of dynamic device files, and actively breaks in containers.

Please remove pam_securetty.so from util-linux-login.pamd and util-linux-remote.pamd.

Thank you!
Comment 1 Matthew Miller 2014-04-23 20:17:37 UTC 
This needs to go in the release notes. Something like:

Because of the dynamic nature of TTY device files on modern Linux systems, the "securetty" PAM module has been disabled by default and /etc/securetty no longer included. Since the previous file listed many possible devices so that the practical effect in most cases was to allow by default, this change will not impact most people. However, if you were using a more restrictive configuration, you will need to add pam_securetty.so to the appropriate files in /etc/pam.d, and create a new /etc/securetty file.
Comment 2 Eric Christensen 2014-04-23 20:27:23 UTC 
I'll take this for the Release Notes.
Comment 3 Matthew Miller 2014-04-23 21:20:17 UTC 
This is related to bug #1090639, but it's not actually a dependency either way, because:

* If /etc/securetty is removed but the pam configuration unchanged, the pam module treats that as "allow anything" -- the desired state, but with extra lines in the pam file which aren't doing anything
* If the pam configuration is changed but /etc/securetty is still there, it won't work anymore, which may be confusing, but doesn't block anything
Comment 4 Moez Roy 2014-05-10 01:14:20 UTC 
So is pam_securetty.so removed from util-linux-login.pamd and util-linux-remote.pamd ?

Or do you need to wait for  Karel Zak to remove it?
Comment 5 Karel Zak 2014-05-12 08:57:22 UTC 
Removed.