From cda7bd483b42a39157e69271fa2211d7e89944dc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 13 Jun 2011 20:27:18 +0200
Subject: Test also whether the tty is in the /sys/class/tty/console/active
 file.

---
 modules/pam_securetty/pam_securetty.8.xml |  8 +++++---
 modules/pam_securetty/pam_securetty.c     | 33 ++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 4 deletions(-)

(limited to 'modules/pam_securetty')

diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
index c5d6c5fe..48215f5f 100644
--- a/modules/pam_securetty/pam_securetty.8.xml
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -35,7 +35,8 @@
       to make sure that <filename>/etc/securetty</filename> is a plain
       file and not world writable. It will also allow root logins on
       the tty specified with <option>console=</option> switch on the
-      kernel command line.
+      kernel command line and on ttys from the
+      <filename>/sys/class/tty/console/active</filename>.
     </para>
     <para>
       This module has no effect on non-root users and requires that the
@@ -70,8 +71,9 @@
         <listitem>
           <para>
             Do not automatically allow root logins on the kernel console
-            device, as specified on the kernel command line, if it is
-            not also specified in the <filename>/etc/securetty</filename> file.
+            device, as specified on the kernel command line or by the sys file,
+            if it is not also specified in the
+            <filename>/etc/securetty</filename> file.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 99c6371f..4e97ef59 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -3,6 +3,7 @@
 #define SECURETTY_FILE "/etc/securetty"
 #define TTY_PREFIX     "/dev/"
 #define CMDLINE_FILE   "/proc/cmdline"
+#define CONSOLEACTIVE_FILE	"/sys/class/tty/console/active"
 
 /*
  * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@@ -169,7 +170,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
                 if (p > line && p[-1] != ' ')
                     continue;
 
-                /* Ist this our console? */
+                /* Is this our console? */
                 if (strncmp(p + 8, uttyname, strlen(uttyname)))
                     continue;
 
@@ -182,6 +183,36 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
             }
         }
     }
+    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+        FILE *consoleactivefile;
+
+        /* Allow access from the active console */
+        consoleactivefile = fopen(CONSOLEACTIVE_FILE, "r");
+
+        if (consoleactivefile != NULL) {
+            char line[LINE_MAX], *p, *n;
+
+            line[0] = 0;
+            p = fgets(line, sizeof(line), consoleactivefile);
+            fclose(consoleactivefile);
+
+	    if (p) {
+		/* remove the newline character at end */
+		if (line[strlen(line)-1] == '\n')
+		    line[strlen(line)-1] = 0;
+
+		for (n = p; n != NULL; p = n+1) {
+		    if ((n = strchr(p, ' ')) != NULL)
+		    	*n = '\0';
+
+            	    if (strcmp(p, uttyname) == 0) {
+			retval = 0;
+			break;
+		    }
+		}
+	    }
+	}
+    }
 
     if (retval) {
 	    pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
-- 
cgit v1.2.3