On 7-Oct-08, at 2:05 PM, David Brownlee wrote:
On Tue, 7 Oct 2008, Greg A. Woods; Planix, Inc. wrote:On 6-Oct-08, at 9:23 PM, Geoff Wing wrote:On Monday 2008-10-06 12:14 -0400, Greg A. Woods; Planix, Inc. output:Strictly speaking "console" should be _removed_ from /etc/ttys. It is (now) always the wrong device to run getty on. A "constty" entry is theonly correct way to properly access the system console TTY device.It still has meaning for single user mode. See init(8):I patched my copy of init.c to call getttynam("constty") a long time ago....But then you lose the ability to have the console permit root login with password (constty secure), but still ask for a password when booted into single user (console not secure)
I guess it could be useful to some people to require a single user password while still allowing a direct "root" login on the console device, but in my security policies the console is either always considered to be a part of the physical machine (and thus has the same level of security as the whole machine does) or else it is, in terms of access control, considered to be no more secure than any other means of access (and thus an authorized user must first authenticate before they can then gain root privileges with yet another level of authentication). I.e. if the console device is not secure (say because it can be accessed remotely in some way), then it is not secure. The only reason, in my policies at least, of allowing direct "root" login on any device is because access to that device is sufficiently secured by other means such that the actual human gaining access is already known, authorized, and logged. So, to me it is never necessary to authenticate the person gaining single user access unless it is also always necessary to authenticate the user before they gain root privileges.
As more of an aside I would also say that I've always thought it to be an inappropriate overloading of meaning to have the same flag in the ``console'' entry in /etc/ttys specify both the authorization for root login and the requirement for the root password to get a single-user shell.
Along those lines I've always thought it would be much better to have init run a wrapper script for the single user shell too (i.e. sort of in the same manner as it runs /etc/rc for multi-user boot, eg. /etc/ single), and then if authentication is required for single-user access any mechanism can be specified by customizing that script. It could be as simple as replacing the "exec /bin/sh" default line in that script with "exec /bin/login root". I haven't gone so far as to actually implement this on my own systems yet though.
(Yes, I know login(1) is currently installed in /usr/bin and some folks don't put /usr on the root fs, but that can trivially be changed.)
--
Greg A. Woods; Planix, Inc.
<woods%planix.ca@localhost>
Attachment:
PGP.sig
Description: This is a digitally signed message part