Re: [OT] sudo: restrict to physical console only?
On Tue, Aug 04, 2020 at 04:09:30PM +0200, Marco Möller wrote:
The idea of Tomas to look in /etc/sudoers.conf for something like
'requiretty' sounds promising. I will need a couple of days to read
and learn about this and then testing it.
That won't work. Anything that's based on identifying a "safe" tty won't
work on a modern system. (In the old days you could identify a trusted
tty by tracing its physical attachment. So /etc/securetty made sense
because it was those terminals whose serial cables terminated in secure
areas or which were directly attached, like the linux text console. But
once X came along people wanted to use virtual terminals--at which point
the idea of a secure physically-connected terminal went right out the
Xwindow.) To get similar functionality now, you'd need something that
has a concept of what is a local login vs what is a remote login. You
could experiment with using systemd/polkit to do this, for example.
*BUT* this approach is more inherently fragile, and it would be really
good to make sure you have an actual root password to facilite recovery,
as someone suggested earlier.
Reply to: