Bug 1650701

Summary: Empty /etc/securetty does not prevent console login for root
Product: Red Hat Enterprise Linux 8 Reporter: bugzilla
Component: doc-Release_Notes-8-en-USAssignee: Ioanna Gkioka <igkioka>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 8.0CC: dapospis, jwboyer, rhel-docs, tmraz
Target Milestone: rcKeywords: Documentation
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Removed functionality
Doc Text:
.`securetty` is now disabled by default Because of the dynamic nature of `tty` device files on modern Linux systems, the `securetty` PAM module has been disabled by default and the `/etc/securetty` configuration file is no longer included in RHEL. Since `/etc/securetty` listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the `pam_securetty.so` module to the appropriate files in the `/etc/pam.d` directory, and create a new `/etc/securetty` file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 01:23:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bugzilla 2018-11-16 21:49:57 UTC 
Description of problem:

To disable console login, traditionally we have removed the tty/pty entries from /etc/securetty. Doing so in RHEL 8.0 beta 1 has no effect.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access

Version-Release number of selected component (if applicable):

RHEL 8.0 beta 1

How reproducible:

100%

Steps to Reproduce:
1. echo > /etc/securetty
2. login to the console as root

Actual results:

root login is successful.

Expected results:

root login is not allowed.

Additional info:
Comment 1 Josh Boyer 2018-11-19 14:03:10 UTC 
I believe this was an intentional change that came through Fedora back in 2014 (?!) via bug 1090638.  However, I don't know what the replacement is.
Comment 2 Karel Zak 2018-11-21 10:12:12 UTC 
I do not remember details, but it seems like expected default in PAM setting. And  I guess you can still use pam_securetty in .pamd files.

Anyway, let's ask PAM guys for more details :-) (needinfo)
Comment 3 Tomas Mraz 2018-11-21 10:18:51 UTC 
There is no 1:1 replacement however you can either modify the /еtc/pam.d/login and add pam_securetty.so back or you can try to workaround it by settings in access.conf. However access.conf is applied to everything, not just login so if you need to allow su to root when being logged in on console tty*, it will be a problem.
Comment 4 bugzilla 2018-11-21 17:26:56 UTC 
adding the line back into /etc/pam.d/login from rhel 7.6 works - i can't login directly as root but i can su to root:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

these docs need updating perhaps for rhel8:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access

it seems odd to remove the functionality just because of it breaking zlogin or whatever is used to log into containers. surely they should be doing the workaround not baremetal/vm's, or just don't ship an empty /etc/securetty file...?