Re: /run and read-only /etc
This one time, at band camp, kcr@debian.org wrote:
>Sorry to reopen this at such a late date, but I'm way behind on -devel.
>
>"Hi, I'm Karl and I maintain login and passwd."
>
>Thomas Hood <jdthood0@yahoo.co.uk> writes:
>> * pam, shadow
>> Allow either /etc/nologin or /run/nologin to prevent non-root logins
>
>I don't like the idea of having multiple files to turn off logins. (I
>can't log into my system, and /etc/nologin doesn't exist! What? didn't you
>know about this *other* file?) I also don't want to solve this with a
>symlink.
I don't have a problem with that, except that a lot of people are going to
complain when /etc/nologin no longer prevents non-root logins.
The patches specifically only create /run/nologin when the machine is
shutting down and removes it when the machine is booting up, so while no-one
else creates /run/nologin there is no change in behaviour. Granted someone
may actually do that; would a message inside /run/nologin warning that
"/run/nologin is in place, non-root logins disallowed" be better? As I
recall, the contents of the files get displayed to the user attempting to
log in. Such a message would alert anyone attempting to login what
restriction is in place.
>I would favor (even though it's weird from the pan-unix admin point of
>view) just deprecating /etc/nologin in favor of something more "sensible".
>
>It would also be nice to have some blessing of /run in the policy first,
>but that doesn't seem terribly likely.
I am currently drafting a policy amendment, stay tuned. In the meantime, do
not feel you have to wait for policy to apply the patches to pam and login,
because they will still work with Debian as it currently stands; that is, as
long as you have been convinced of its merit.
--
jaq@debian.org http://people.debian.org/~jaq
Reply to: