Bug 1090638 - remove pam_securetty.so from .pamd files
Summary: remove pam_securetty.so from .pamd files
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Fedora Extras Quality Assurance
Eric Christensen
Depends On:
TreeView+ depends on / blocked
Reported: 2014-04-23 20:05 UTC by Matthew Miller
Modified: 2014-05-12 08:57 UTC (History)
6 users (show)

Fixed In Version: util-linux-2.24.2-3.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-05-12 08:57:22 UTC
Type: Bug
mattdm: fedora_requires_release_note+

Attachments (Terms of Use)

Description Matthew Miller 2014-04-23 20:05:57 UTC
See background at https://fedorahosted.org/fesco/ticket/1298#comment:1 and discussion thread here: https://lists.fedoraproject.org/pipermail/devel/2014-April/197712.html

In short, securetty doesn't scale well to the modern world of dynamic device files, and actively breaks in containers.

Please remove pam_securetty.so from util-linux-login.pamd and util-linux-remote.pamd.

Thank you!

Comment 1 Matthew Miller 2014-04-23 20:17:37 UTC
This needs to go in the release notes. Something like:

Because of the dynamic nature of TTY device files on modern Linux systems, the "securetty" PAM module has been disabled by default and /etc/securetty no longer included. Since the previous file listed many possible devices so that the practical effect in most cases was to allow by default, this change will not impact most people. However, if you were using a more restrictive configuration, you will need to add pam_securetty.so to the appropriate files in /etc/pam.d, and create a new /etc/securetty file.

Comment 2 Eric Christensen 2014-04-23 20:27:23 UTC
I'll take this for the Release Notes.

Comment 3 Matthew Miller 2014-04-23 21:20:17 UTC
This is related to bug #1090639, but it's not actually a dependency either way, because:

* If /etc/securetty is removed but the pam configuration unchanged, the pam module treats that as "allow anything" -- the desired state, but with extra lines in the pam file which aren't doing anything
* If the pam configuration is changed but /etc/securetty is still there, it won't work anymore, which may be confusing, but doesn't block anything

Comment 4 Moez Roy 2014-05-10 01:14:20 UTC
So is pam_securetty.so removed from util-linux-login.pamd and util-linux-remote.pamd ?

Or do you need to wait for  Karel Zak to remove it?

Comment 5 Karel Zak 2014-05-12 08:57:22 UTC

Note You need to log in before you can comment on or make changes to this bug.