Ticket #657 (closed defect: fixed)
lucid cluster installs permit graphical root logins
Reported by: | jdreed | Owned by: | |
---|---|---|---|
Priority: | blocker | Milestone: | Summer 2010 (Lucid Deploy) |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: | LP:484317 |
Description
This is not good.
Change History
comment:2 Changed 13 years ago by jdreed
- Upstream bug set to LP:484317
Known bug, apparently. Upstream's solution is "Go have fun with PAM", but since new GDM doesn't actually display any PAM messages, that kind of sucks.
comment:3 Changed 13 years ago by geofft
Wait up. I thought we did awesome things to not set a root password until you're inside the chroot? (Or did that go away once we stopped special-casing the quickstations to not do the chroots? Can we bring that back?)
I don't think we care what the PAM message is here, I think -- "Authentication failure" is quite fine.
comment:4 Changed 13 years ago by jdreed
That went away. Certainly Lucid cluster installs at the moment have root passwords. And arguably, that's helpful for debugging.
Unless there's a good reason not to, I think we should try the PAM route.
comment:5 Changed 13 years ago by jdreed
See also the patch in https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/484317/comments/10, if we want to go the route of debathenifying gdm. (I bet we don't).
My current plan is to give workstation users and lower the new upstream behavior (whether it was intended or not), and put the pam code in c-l-c
comment:6 Changed 13 years ago by jdreed
- Status changed from new to committed
Committed in r24810. I'd like feedback before I build it.
So, do we just need to add something like this to /etc/security/access.conf?
That doesn't really help -workstation users, however (where root should be allowed to login on, say, tty1, but not from gdm. And thanks to X hopping around to whatever VT it feels like, we can't even just deny from tty7.