Bug 772733 - /etc/securetty documentation is incorrect
Summary: /etc/securetty documentation is incorrect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 772739 772740 772741 781441
Blocks: 772736
TreeView+ depends on / blocked
 
Reported: 2012-01-09 20:13 UTC by Kurt Seifried
Modified: 2019-09-29 12:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-03 01:49:13 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kurt Seifried 2012-01-09 20:13:13 UTC 
Description of problem:

Traditionally the file /etc/securetty is used to control what
consoles/terminals the root user can log in from. We document this in RHEL 4, 5
and 6:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer.       

---

Prevents access to the root account via the console or the network. The
following programs are prevented from accessing the root account:
· login
· gdm
· kdm
· xdm
· Other network services that open a tty 
=========

You can verify this in the following docs:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security_Guide/index.html#sect-Security_Guide-Workstation_Security-Administrative_Controls

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#s1-wstation-privileges

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html

Version-Release number of selected component (if applicable):

I tested gdm, kdm and xdm on RHEL 6.2, and gdm/kdm on RHEL 5.8

How reproducible:

100%.

Steps to Reproduce:
1. zero the /etc/securetty file with "cat 0 > /etc/securetty"
2. test root login via console (e.g. alt-F2), root login fails (good!)
3. test root login via gdm, kdm or xdm, root login is allowed (bad!)

Actual results:

Root can login via gdm/kdm/xdm even is the user follows documented instructions
to lock the root account out.

Expected results:

root login fails


Additional info:

the files of interest are:

[root@test-rhel-server-6 pam.d]# ls *dm*
gdm  gdm-autologin  gdm-fingerprint  gdm-password  gdm-smartcard  kdm  kdm-np 
xdm
[root@test-rhel-server-6 pam.d]# rpm -qf *dm* | sort | uniq
gdm-2.30.4-32.el6.x86_64
gdm-plugin-fingerprint-2.30.4-32.el6.x86_64
gdm-plugin-smartcard-2.30.4-32.el6.x86_64
kde-settings-kdm-4.3.1-1.el6.noarch
xorg-x11-xdm-1.1.6-14.1.el6.x86_64

Fix information:

1) fixing the pam.d files may be done in a future release of RHEL.

=========
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
=========

2) we need to fix the documentation ASAP to tell people to add that line so
that /etc/securetty will actually work as expected. Simply updating the text in
the docs mentioned above should be sufficient:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer.
=========

should be something like:

=========
An empty /etc/securetty file prevents root login on any devices attached to the
computer. To enable securetty support in kdm, gdm and xdm add the following
line:

auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so

to the files:

/etc/pam.d/gdm  
/etc/pam.d/gdm-autologin  
/etc/pam.d/gdm-fingerprint  
/etc/pam.d/gdm-password  
/etc/pam.d/gdm-smartcard  
/etc/pam.d/kdm  
/etc/pam.d/kdm-np  
/etc/pam.d/xdm
=========


And we should be good.
Note You need to log in before you can comment on or make changes to this bug.