121 lines
3.9 KiB
Diff
121 lines
3.9 KiB
Diff
|
Index: modules/pam_securetty/pam_securetty.8.xml
|
||
|
===================================================================
|
||
|
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v
|
||
|
retrieving revision 1.4
|
||
|
retrieving revision 1.6
|
||
|
diff -u -p -r1.4 -r1.6
|
||
|
--- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4
|
||
|
+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6
|
||
|
@@ -33,7 +33,9 @@
|
||
|
user is logging in on a "secure" tty, as defined by the listing
|
||
|
in <filename>/etc/securetty</filename>. pam_securetty also checks
|
||
|
to make sure that <filename>/etc/securetty</filename> is a plain
|
||
|
- file and not world writable.
|
||
|
+ file and not world writable. It will also allow root logins on
|
||
|
+ the tty specified with <option>console=</option> switch on the
|
||
|
+ kernel command line.
|
||
|
</para>
|
||
|
<para>
|
||
|
This module has no effect on non-root users and requires that the
|
||
|
@@ -61,6 +63,18 @@
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</varlistentry>
|
||
|
+ <varlistentry>
|
||
|
+ <term>
|
||
|
+ <option>noconsole</option>
|
||
|
+ </term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Do not automatically allow root logins on the kernel console
|
||
|
+ device, as specified on the kernel command line, if it is
|
||
|
+ not also specified in the <filename>/etc/securetty</filename> file.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
</variablelist>
|
||
|
</refsect1>
|
||
|
|
||
|
Index: modules/pam_securetty/pam_securetty.c
|
||
|
===================================================================
|
||
|
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v
|
||
|
retrieving revision 1.14
|
||
|
retrieving revision 1.15
|
||
|
diff -u -p -r1.14 -r1.15
|
||
|
--- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14
|
||
|
+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15
|
||
|
@@ -2,6 +2,7 @@
|
||
|
|
||
|
#define SECURETTY_FILE "/etc/securetty"
|
||
|
#define TTY_PREFIX "/dev/"
|
||
|
+#define CMDLINE_FILE "/proc/cmdline"
|
||
|
|
||
|
/*
|
||
|
* by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
|
||
|
@@ -22,6 +23,7 @@
|
||
|
#include <pwd.h>
|
||
|
#include <string.h>
|
||
|
#include <ctype.h>
|
||
|
+#include <limits.h>
|
||
|
|
||
|
/*
|
||
|
* here, we make a definition for the externally accessible function
|
||
|
@@ -38,6 +40,7 @@
|
||
|
#include <security/pam_ext.h>
|
||
|
|
||
|
#define PAM_DEBUG_ARG 0x0001
|
||
|
+#define PAM_NOCONSOLE_ARG 0x0002
|
||
|
|
||
|
static int
|
||
|
_pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
|
||
|
@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in
|
||
|
|
||
|
if (!strcmp(*argv,"debug"))
|
||
|
ctrl |= PAM_DEBUG_ARG;
|
||
|
+ else if (!strcmp(*argv, "noconsole"))
|
||
|
+ ctrl |= PAM_NOCONSOLE_ARG;
|
||
|
else {
|
||
|
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
|
||
|
}
|
||
|
@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p
|
||
|
}
|
||
|
fclose(ttyfile);
|
||
|
|
||
|
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
|
||
|
+ FILE *cmdlinefile;
|
||
|
+
|
||
|
+ /* Allow access from the kernel console, if enabled */
|
||
|
+ cmdlinefile = fopen(CMDLINE_FILE, "r");
|
||
|
+
|
||
|
+ if (cmdlinefile != NULL) {
|
||
|
+ char line[LINE_MAX], *p;
|
||
|
+
|
||
|
+ line[0] = 0;
|
||
|
+ fgets(line, sizeof(line), cmdlinefile);
|
||
|
+ fclose(cmdlinefile);
|
||
|
+
|
||
|
+ for (p = line; p; p = strstr(p+1, "console=")) {
|
||
|
+ char *e;
|
||
|
+
|
||
|
+ /* Test whether this is a beginning of a word? */
|
||
|
+ if (p > line && p[-1] != ' ')
|
||
|
+ continue;
|
||
|
+
|
||
|
+ /* Ist this our console? */
|
||
|
+ if (strncmp(p + 8, uttyname, strlen(uttyname)))
|
||
|
+ continue;
|
||
|
+
|
||
|
+ /* Is there any garbage after the TTY name? */
|
||
|
+ e = p + 8 + strlen(uttyname);
|
||
|
+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
|
||
|
+ retval = 0;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
if (retval) {
|
||
|
pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
|
||
|
uttyname);
|