Bug 772733

Summary:	/etc/securetty documentation is incorrect
Product:	[Other] Security Response	Reporter:	Kurt Seifried <kseifried>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	jhradile, mprpic
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-04-03 01:49:13 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:	772739, 772740, 772741, 781441
Bug Blocks:	772736

Description Kurt Seifried 2012-01-09 20:13:13 UTC

Description of problem:

Traditionally the file /etc/securetty is used to control what
consoles/terminals the root user can log in from. We document this in RHEL 4, 5
and 6:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer.       

---

Prevents access to the root account via the console or the network. The
following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· Other network services that open a tty 
=========

You can verify this in the following docs:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security_Guide/index.html#sect-Security_Guide-Workstation_Security-Administrative_Controls

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#s1-wstation-privileges

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html

Version-Release number of selected component (if applicable):

I tested gdm, kdm and xdm on RHEL 6.2, and gdm/kdm on RHEL 5.8

How reproducible:

100%.

Steps to Reproduce:
1. zero the /etc/securetty file with "cat 0 > /etc/securetty"
2. test root login via console (e.g. alt-F2), root login fails (good!)
3. test root login via gdm, kdm or xdm, root login is allowed (bad!)

Actual results:

Root can login via gdm/kdm/xdm even is the user follows documented instructions
to lock the root account out.

Expected results:

root login fails


Additional info:

the files of interest are:

[root@test-rhel-server-6 pam.d]# ls *dm*
gdm  gdm-autologin  gdm-fingerprint  gdm-password  gdm-smartcard  kdm  kdm-np 
xdm
[root@test-rhel-server-6 pam.d]# rpm -qf *dm* | sort | uniq
gdm-2.30.4-32.el6.x86_64
gdm-plugin-fingerprint-2.30.4-32.el6.x86_64
gdm-plugin-smartcard-2.30.4-32.el6.x86_64
kde-settings-kdm-4.3.1-1.el6.noarch
xorg-x11-xdm-1.1.6-14.1.el6.x86_64

Fix information:

1) fixing the pam.d files may be done in a future release of RHEL.

=========
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
=========

2) we need to fix the documentation ASAP to tell people to add that line so
that /etc/securetty will actually work as expected. Simply updating the text in
the docs mentioned above should be sufficient:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer.
=========

should be something like:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer. To enable securetty support in kdm, gdm and xdm add the following
line:

auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so

to the files:

/etc/pam.d/gdm  
/etc/pam.d/gdm-autologin  
/etc/pam.d/gdm-fingerprint  
/etc/pam.d/gdm-password  
/etc/pam.d/gdm-smartcard  
/etc/pam.d/kdm  
/etc/pam.d/kdm-np  
/etc/pam.d/xdm
=========


And we should be good.