[Pkg-shadow-devel] Bug#768020: Bug#768020: Missing /dev/ttySC* entries in /etc/securetty
Mike Frysinger
vapier at gentoo.org
Wed Nov 5 15:49:10 UTC 2014
On 05 Nov 2014 09:16, Geert Uytterhoeven wrote:
> On Tue, Nov 4, 2014 at 6:31 PM, Mike Frysinger <vapier at gentoo.org> wrote:
> > On 04 Nov 2014 10:04, Geert Uytterhoeven wrote:
> >> Package: login
> >> Version: 1:4.2-2+b1
> >>
> >> /etc/securetty contains the following /dev/ttySC* entries:
> >>
> >> | # SCI serial port (SuperH) ports and SC26xx serial ports
> >> | ttySC0
> >> | ttySC1
> >> | ttySC2
> >> | ttySC3
> >>
> >> Some Renesas ARM-based SH-Mobile development boards have the
> >> serial console on ttySC4 or ttySC6, or a secondary console on ttySC7.
> >> At least one SH-based board has its serial console on ttySC5.
> >>
> >> Can you please add entries ttySC[4-9]?
> >
> > there's a lot of boards with a lot of different serial devices. i'm not sure
> > every possibility should be hardcoded ? every distro is duplicating this work
> > too and maintaining their own random full list. can't we do better here ?
>
> Unfortunately, due to the "only real 16550 serial ports can be called ttyS%u"
> rule...
i'm aware (having written & merged some serial drivers myself). my point was to
improve things by default in userland.
> > perhaps the default should be to not have an /etc/securetty at all ? if the
> > system is configured to launch getty on a tty, then in today's world, it means
> > it's a local device right ? if you have physical access to something, and know
>
> It may still be connected to a modem, waiting for incoming calls...
how many of these systems legitimately exist anymore ? we shouldn't be
handicapping the majority of users for an extreme edge case. if those people
want to set up securetty, they can create the file themselves.
> > the root password, what exactly is this protecting the system from ?
>
> /etc/securetty is not meant to prevent privileged people from getting in,
> but to protect the system against eavesdropping on unsecure lines
> (.e.g. out-of-the-building serial cables and modem lines).
how does securetty prevent that ? you can log in as non-root and then sudo. or
try and leverage a known security vuln to escalate that non-root account. any
perceived security provided by securetty is an illusion.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20141105/b58fd89e/attachment.sig>
More information about the Pkg-shadow-devel
mailing list