Created attachment 498708 [details] allow root login on devices from /sys/class/tty/console/active root should be allowed to login on devices from "/sys/class/tty/console/active". On s390x the kernel presents various consoles (z/VM console, HMC console for LPARs) as /dev/ttyS? and with the recent switch from upstart to systemd the init process doesn't call /sbin/securetty to add the serial line device to /etc/securetty when getty is started. The /sys/class/tty/console/active file was added in this commit - http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fbc92a3455577ab17615cbcb91826399061bd789 From a discussion with Lennart on #systemd: <sharkcz> we have a problem in F-15 on system with main console on ttyS0 where root can't log in because ttyS0 is not /etc/securetty, upstart (or better upstart job in initscripts) took care of that earlier <mezcalero> sharkcz: pam_securetty has been updated to check console= from the kernel cmdline <mezcalero> and allow that too <sharkcz> ah, but on s390x the console= is not used and the kernel uses ttyS0 by default <mezcalero> sharkcz: hmm, i guess we should update pam_securetty to check /sys/class/tty/console/active instead of the cmdline <mezcalero> that should work for you, too, then, right? <sharkcz> mezcalero: yep, looks like it has the correct value <mezcalero> sharkcz: it's actually a list of values <mezcalero> sharkcz: because you can pass console= multiple times on the kernel cmdline <mezcalero> sharkcz: anyway, such a fix should be simple to do <mezcalero> sharkcz: for compat with older kernels the current cmdline check probably should stay in pam_securetty <mezcalero> but the new check used if /sys/class/tty/console/active can be opened