Test also whether the tty is in the /sys/class/tty/console/active file.

3 files changed, 44 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index bcd456c3..299b3167 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-06-13  Tomas Mraz  <tm@t8m.info>
+
+	* modules/pam_securetty/pam_securetty.c (securetty_perform_check): Test
+	also whether the tty is in the /sys/class/tty/console/active file.
+	* modules/pam_securetty/pam_securetty.8.xml: Document the new check of
+	/sys/class/tty/console/active/file.
+
 2011-06-07  Tomas Mraz  <tm@t8m.info>
 
 	* modules/pam_namespace/pam_namespace.c (root_shared): New
diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
index c5d6c5fe..48215f5f 100644
--- a/modules/pam_securetty/pam_securetty.8.xml
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -35,7 +35,8 @@
       to make sure that <filename>/etc/securetty</filename> is a plain
       file and not world writable. It will also allow root logins on
       the tty specified with <option>console=</option> switch on the
-      kernel command line.
+      kernel command line and on ttys from the
+      <filename>/sys/class/tty/console/active</filename>.
     </para>
     <para>
       This module has no effect on non-root users and requires that the
@@ -70,8 +71,9 @@
         <listitem>
           <para>
             Do not automatically allow root logins on the kernel console
-            device, as specified on the kernel command line, if it is
-            not also specified in the <filename>/etc/securetty</filename> file.
+            device, as specified on the kernel command line or by the sys file,
+            if it is not also specified in the
+            <filename>/etc/securetty</filename> file.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 99c6371f..4e97ef59 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -3,6 +3,7 @@
 #define SECURETTY_FILE "/etc/securetty"
 #define TTY_PREFIX     "/dev/"
 #define CMDLINE_FILE   "/proc/cmdline"
+#define CONSOLEACTIVE_FILE	"/sys/class/tty/console/active"
 
 /*
  * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@@ -169,7 +170,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
                 if (p > line && p[-1] != ' ')
                     continue;
 
-                /* Ist this our console? */
+                /* Is this our console? */
                 if (strncmp(p + 8, uttyname, strlen(uttyname)))
                     continue;
 
@@ -182,6 +183,36 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
             }
         }
     }
+    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+        FILE *consoleactivefile;
+
+        /* Allow access from the active console */
+        consoleactivefile = fopen(CONSOLEACTIVE_FILE, "r");
+
+        if (consoleactivefile != NULL) {
+            char line[LINE_MAX], *p, *n;
+
+            line[0] = 0;
+            p = fgets(line, sizeof(line), consoleactivefile);
+            fclose(consoleactivefile);
+
+	    if (p) {
+		/* remove the newline character at end */
+		if (line[strlen(line)-1] == '\n')
+		    line[strlen(line)-1] = 0;
+
+		for (n = p; n != NULL; p = n+1) {
+		    if ((n = strchr(p, ' ')) != NULL)
+		    	*n = '\0';
+
+            	    if (strcmp(p, uttyname) == 0) {
+			retval = 0;
+			break;
+		    }
+		}
+	    }
+	}
+    }
 
     if (retval) {
 	    pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",