Date: Fri, 29 Dec 2017 23:47:28 +0000 From: mqudsi@neosmart.net To: freebsd-current@freebsd.org Subject: Allowing local console root login on PAM initialization failure Message-ID: <01010160a4ac5f03-b7b69fa3-f430-4695-ac50-a27304437eeb-000000@us-west-2.amazonses.com>
next in thread | raw e-mail | index | archive | help
Hello all, I have a question regarding the behavior of the PAM module, in = particular pertaining to the default behavior wherein root login is = completely disabled (even from the physical console) when the permissions = on the PAM configuration files in `/etc/pam.d/` are incorrect (anything = other than `600`). It absolutely makes sense for the PAM mechanism to fail= to initialize for safety reasons under these circumstances, and activities= such as remote login, ssh authentication, su/sudo, etc. all make sense to = be blocked. But given that the PAM configuration can be reset from the = local machine in single user mode, is there a benefit to blocking root = login at the tty when PAM fails to initialize? For reference, attempting = to log in at the console when the permissions on `/etc/pam.d/` are = incorrect gives the following error: ``` freebsd login: in = openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions freebsd login: pam_start(): system error ``` Just wondering if this behavior is intentional or if patches to allow login at the local console upon PAM failure would be welcomed. Thank you, Mahmoud Al-Qudsi NeoSmart Technologies
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01010160a4ac5f03-b7b69fa3-f430-4695-ac50-a27304437eeb-000000>