[Pkg-shadow-devel] Bug#768020: Bug#768020: Missing /dev/ttySC* entries in /etc/securetty
vapier at gentoo.org
Wed Nov 5 18:30:54 UTC 2014
On 05 Nov 2014 17:35, Geert Uytterhoeven wrote:
> On Wed, Nov 5, 2014 at 4:49 PM, Mike Frysinger wrote:
> >> > perhaps the default should be to not have an /etc/securetty at all ? if the
> >> > system is configured to launch getty on a tty, then in today's world, it means
> >> > it's a local device right ? if you have physical access to something, and know
> >> It may still be connected to a modem, waiting for incoming calls...
> > how many of these systems legitimately exist anymore ? we shouldn't be
> > handicapping the majority of users for an extreme edge case. if those people
> > want to set up securetty, they can create the file themselves.
> >> > the root password, what exactly is this protecting the system from ?
> >> /etc/securetty is not meant to prevent privileged people from getting in,
> >> but to protect the system against eavesdropping on unsecure lines
> >> (.e.g. out-of-the-building serial cables and modem lines).
> > how does securetty prevent that ? you can log in as non-root and then sudo. or
> > try and leverage a known security vuln to escalate that non-root account. any
> > perceived security provided by securetty is an illusion.
> Ah, sudo is a recent invention ;-)
`su` isn't though, and i don't think `su` enforces securetty ? it's only at
`login` time ?
> But you're right, /etc/securetty has little value these days.
i guess this is something we need to encourage each distro to do as i don't
think the upstream shadow package already ships this behavior by default. i'll
update Gentoo after i double check the behavior and see if anyone notices :).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the Pkg-shadow-devel