Test also whether the tty is in the /sys/class/tty/console/active file.

diff --git a/ChangeLog b/ChangeLog
index bcd456c3eb406e29b55fd6745d1b095d0cd7b083..299b316784ab4f26e655fa6b8582658af47fb9fb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-06-13  Tomas Mraz  <tm@t8m.info>
+
+       * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Test
+       also whether the tty is in the /sys/class/tty/console/active file.
+       * modules/pam_securetty/pam_securetty.8.xml: Document the new check of
+       /sys/class/tty/console/active/file.
+
 2011-06-07  Tomas Mraz  <tm@t8m.info>
 
        * modules/pam_namespace/pam_namespace.c (root_shared): New

diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
index c5d6c5fe3caa29f040380dd10b7d47a569a7d8d6..48215f5ffe97d4d9b08186e099c2ace88f764376 100644 (file)
--- a/modules/pam_securetty/pam_securetty.8.xml
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -35,7 +35,8 @@
       to make sure that <filename>/etc/securetty</filename> is a plain
       file and not world writable. It will also allow root logins on
       the tty specified with <option>console=</option> switch on the
-      kernel command line.
+      kernel command line and on ttys from the
+      <filename>/sys/class/tty/console/active</filename>.
     </para>
     <para>
       This module has no effect on non-root users and requires that the
@@ -70,8 +71,9 @@
         <listitem>
           <para>
             Do not automatically allow root logins on the kernel console
-            device, as specified on the kernel command line, if it is
-            not also specified in the <filename>/etc/securetty</filename> file.
+            device, as specified on the kernel command line or by the sys file,
+            if it is not also specified in the
+            <filename>/etc/securetty</filename> file.
           </para>
         </listitem>
       </varlistentry>

diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 99c6371fddeaca10d6b8ca298b092c1a13b6264a..4e97ef59ce75144b2f09e66021f3aef9fac2e9f4 100644 (file)
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -3,6 +3,7 @@
 #define SECURETTY_FILE "/etc/securetty"
 #define TTY_PREFIX     "/dev/"
 #define CMDLINE_FILE   "/proc/cmdline"
+#define CONSOLEACTIVE_FILE     "/sys/class/tty/console/active"
 
 /*
  * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@@ -169,7 +170,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
                 if (p > line && p[-1] != ' ')
                     continue;
 
-                /* Ist this our console? */
+                /* Is this our console? */
                 if (strncmp(p + 8, uttyname, strlen(uttyname)))
                     continue;
 
@@ -182,6 +183,36 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
             }
         }
     }
+    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+        FILE *consoleactivefile;
+
+        /* Allow access from the active console */
+        consoleactivefile = fopen(CONSOLEACTIVE_FILE, "r");
+
+        if (consoleactivefile != NULL) {
+            char line[LINE_MAX], *p, *n;
+
+            line[0] = 0;
+            p = fgets(line, sizeof(line), consoleactivefile);
+            fclose(consoleactivefile);
+
+           if (p) {
+               /* remove the newline character at end */
+               if (line[strlen(line)-1] == '\n')
+                   line[strlen(line)-1] = 0;
+
+               for (n = p; n != NULL; p = n+1) {
+                   if ((n = strchr(p, ' ')) != NULL)
+                       *n = '\0';
+
+                   if (strcmp(p, uttyname) == 0) {
+                       retval = 0;
+                       break;
+                   }
+               }
+           }
+       }
+    }
 
     if (retval) {
            pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",