Bug 1650701 - Empty /etc/securetty does not prevent console login for root
Summary: Empty /etc/securetty does not prevent console login for root
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: doc-Release_Notes-8-en-US
Version: 8.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: 8.0
Assignee: Ioanna Gkioka
QA Contact:
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-16 21:49 UTC by bugzilla
Modified: 2019-06-14 01:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Removed functionality
Doc Text:
.`securetty` is now disabled by default Because of the dynamic nature of `tty` device files on modern Linux systems, the `securetty` PAM module has been disabled by default and the `/etc/securetty` configuration file is no longer included in RHEL. Since `/etc/securetty` listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the `pam_securetty.so` module to the appropriate files in the `/etc/pam.d` directory, and create a new `/etc/securetty` file.
Clone Of:
Environment:
Last Closed: 2019-06-14 01:23:45 UTC
Type: Bug


Attachments (Terms of Use)

Description bugzilla 2018-11-16 21:49:57 UTC
Description of problem:

To disable console login, traditionally we have removed the tty/pty entries from /etc/securetty. Doing so in RHEL 8.0 beta 1 has no effect.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access

Version-Release number of selected component (if applicable):

RHEL 8.0 beta 1

How reproducible:

100%

Steps to Reproduce:
1. echo > /etc/securetty
2. login to the console as root

Actual results:

root login is successful.

Expected results:

root login is not allowed.

Additional info:

Comment 1 Josh Boyer 2018-11-19 14:03:10 UTC
I believe this was an intentional change that came through Fedora back in 2014 (?!) via bug 1090638.  However, I don't know what the replacement is.

Comment 2 Karel Zak 2018-11-21 10:12:12 UTC
I do not remember details, but it seems like expected default in PAM setting. And  I guess you can still use pam_securetty in .pamd files.

Anyway, let's ask PAM guys for more details :-) (needinfo)

Comment 3 Tomas Mraz 2018-11-21 10:18:51 UTC
There is no 1:1 replacement however you can either modify the /еtc/pam.d/login and add pam_securetty.so back or you can try to workaround it by settings in access.conf. However access.conf is applied to everything, not just login so if you need to allow su to root when being logged in on console tty*, it will be a problem.

Comment 4 bugzilla 2018-11-21 17:26:56 UTC
adding the line back into /etc/pam.d/login from rhel 7.6 works - i can't login directly as root but i can su to root:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

these docs need updating perhaps for rhel8:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access

it seems odd to remove the functionality just because of it breaking zlogin or whatever is used to log into containers. surely they should be doing the workaround not baremetal/vm's, or just don't ship an empty /etc/securetty file...?


Note You need to log in before you can comment on or make changes to this bug.