From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/2 v4] core/skeleton: drop /etc/securetty
Date: Mon, 13 Jul 2015 12:37:35 +0200 [thread overview]
Message-ID: <20150713103735.GI4008@free.fr> (raw)
In-Reply-To: <20150713094433.GL2451@tarshish>
Baruch, All,
On 2015-07-13 12:44 +0300, Baruch Siach spake thusly:
> On Mon, Jul 13, 2015 at 11:35:52AM +0200, Yann E. MORIN wrote:
> > On 2015-07-13 12:20 +0300, Baruch Siach spake thusly:
> > > On Mon, Jul 13, 2015 at 11:05:35AM +0200, Yann E. MORIN wrote:
> > > > securetty is supposed to restrict the terminals root is allowed to
> > > > login from. As it happens, login from busybox (w/ securetty support)
> > > > is actually enforcing use of securetty, while login from util-linux
> > > > is completely ignoring securetty altogether.
> > > >
> > > > Remove securetty from our skeleton altogether and stop worrying about
> > > > it.
> > >
> > > But CONFIG_FEATURE_SECURETTY=y is still there in current
> > > package/busybox/busybox.config. Shouldn't we disable it first?
> >
> > Indeed, it is still present, but that does not prevent root login to
> > work when /etc/securetty is missing.
> >
> > So, I decided to leave it as-is.
>
> It would still break overlays with /etc/securetty (maybe locally modified).
> Why not just disable Busybox FEATURE_SECURETTY?
After discussing this with Thomas, we've decided to keep it, especially
to keep the case you mention (custom securetty from overlay) is still
working as expected.
The reasoning is that a user which installs a custom /etc/securetty will
obviously have it contain the ttys he wants root to log in from, so he'd
still be able to log in as root from those ttys.
But if we were to remove FEATURE_SECURETTY, then he'd still be able to
log in as root from those ttys, but *also* from *any other* tty, and
would probably not notice that change as this is a silent change.
So, we've concluded that we should keep FEATURE_SECURETTY since it works
for our new use-case, and works for existing use-cases.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2015-07-13 10:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-13 9:05 [Buildroot] [PATCH 0/2 v4] busybox: improve support for telnetd (branch yem/pw) Yann E. MORIN
2015-07-13 9:05 ` [Buildroot] [PATCH 1/2 v4] core/skeleton: drop /etc/securetty Yann E. MORIN
2015-07-13 9:20 ` Baruch Siach
2015-07-13 9:35 ` Yann E. MORIN
2015-07-13 9:44 ` Baruch Siach
2015-07-13 10:37 ` Yann E. MORIN [this message]
2015-07-13 10:46 ` Baruch Siach
2015-07-13 11:42 ` Arnout Vandecappelle
2015-07-13 9:05 ` [Buildroot] [PATCH 2/2 v4] busybox: improve support for telnetd Yann E. MORIN
2015-07-13 11:02 ` [Buildroot] [PATCH 0/2 v4] busybox: improve support for telnetd (branch yem/pw) Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150713103735.GI4008@free.fr \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox