From owner-freebsd-current@freebsd.org Fri Dec 29 23:47:30 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83B00E80FFD for ; Fri, 29 Dec 2017 23:47:30 +0000 (UTC) (envelope-from 01010160a4ac5f03-b7b69fa3-f430-4695-ac50-a27304437eeb-000000@us-west-2.amazonses.com) Received: from a27-158.smtp-out.us-west-2.amazonses.com (a27-158.smtp-out.us-west-2.amazonses.com [54.240.27.158]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6963315ED for ; Fri, 29 Dec 2017 23:47:29 +0000 (UTC) (envelope-from 01010160a4ac5f03-b7b69fa3-f430-4695-ac50-a27304437eeb-000000@us-west-2.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1514591248; h=Content-Type:From:To:Subject:Message-ID:Date:Content-Transfer-Encoding:MIME-Version:Feedback-ID; bh=FcH8haH+dbqeX80l5WpUNPK45ofsj3wIj4+OJ/qI4bc=; b=Jz+U4sXY1SkLmpAmdudHKOcznssmWddUm1qjxQQuzEmRvB4U5xeZgkndEsKmPVqR dnhsmNBRmypewCj9xgxLWXiA7qiThzkyp+Ns8EQn3hLeLres6maVatsRkgQYnHk+qrC URz85mxC89+OodpCaoEiLVtdCBvbKeiY3TSN7Khg= Content-Type: text/plain From: mqudsi@neosmart.net To: freebsd-current@freebsd.org Subject: Allowing local console root login on PAM initialization failure Message-ID: <01010160a4ac5f03-b7b69fa3-f430-4695-ac50-a27304437eeb-000000@us-west-2.amazonses.com> Date: Fri, 29 Dec 2017 23:47:28 +0000 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-SES-Outgoing: 2017.12.29-54.240.27.158 Feedback-ID: 1.us-west-2.PCEy91/Vd+GU67P48MglE9FKtQG6qQD9MhgwC/YKQRM=:AmazonSES X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 23:47:30 -0000 Hello all, I have a question regarding the behavior of the PAM module, in = particular pertaining to the default behavior wherein root login is = completely disabled (even from the physical console) when the permissions = on the PAM configuration files in `/etc/pam.d/` are incorrect (anything = other than `600`). It absolutely makes sense for the PAM mechanism to fail= to initialize for safety reasons under these circumstances, and activities= such as remote login, ssh authentication, su/sudo, etc. all make sense to = be blocked. But given that the PAM configuration can be reset from the = local machine in single user mode, is there a benefit to blocking root = login at the tty when PAM fails to initialize? For reference, attempting = to log in at the console when the permissions on `/etc/pam.d/` are = incorrect gives the following error: ``` freebsd login: in = openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions freebsd login: pam_start(): system error ``` Just wondering if this behavior is intentional or if patches to allow login at the local console upon PAM failure would be welcomed. Thank you, Mahmoud Al-Qudsi NeoSmart Technologies