Project

General

Profile

Feature #5391

allow multiple CONSOLE devices in /etc/default/login

Added by Michael Mounteney almost 6 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
smf
Start date:
2014-12-04
Due date:
% Done:

0%

Estimated time:
6.00 h
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:

Description

The CONSOLE= line allows the restriction of root logins to just the console device. If a system is configured with a second login (e.g., a serial port for remote access), there is no option to allow just that second device to accept root logins. The CONSOLE= line must be commented-out or removed entirely.

It would be nice if the CONSOLE= line would accept a list of devices which accept root logins, thus restricting access as tightly as possible.

Quoting from a message on the OmniOS users mailing list (not yet available on gmane):

Hmm, reviewing the source to login, if CONSOLE is set to the default
/dev/console, root login is allowed on either /dev/console or /dev/vt/*. If
it is set to anything else, root login is allowed only from the device it is
set to. If not set, root login is allowed on any device.

It would be pretty trivial to extend the current code:

} else {
if (strcmp(ttyn, Console) == 0)
return;
}

To allow CONSOLE to be a list of devices rather than a single device:

char *state;
char *test_console;
for (test_console = strtok_r(Console, ",", &state); test_console != NULL,
test_console = strtok_r(NULL, ",", &state)) {
if (strcmp(ttyn, test_console) == 0)
return;
}

I'm not sure if anything else pays attention to the CONSOLE definition in
/etc/default/login that might get confused though.

so the change is pretty simple.

Also available in: Atom PDF