Allowing local console root login on PAM initialization failure

mqudsi at mqudsi at
Fri Dec 29 23:47:30 UTC 2017

Hello all,

I have a question regarding the behavior of the PAM module, in particular
pertaining to the default behavior wherein root login is completely disabled
(even from the physical console) when the permissions on the PAM configuration
files in `/etc/pam.d/` are incorrect (anything other than `600`).

It absolutely makes sense for the PAM mechanism to fail to initialize for
safety reasons under these circumstances, and activities such as remote login,
ssh authentication, su/sudo, etc. all make sense to be blocked. But given that
the PAM configuration can be reset from the local machine in single user mode,
is there a benefit to blocking root login at the tty when PAM fails to

For reference, attempting to log in at the console when the permissions on
`/etc/pam.d/` are incorrect gives the following error:

freebsd login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure
ownership or permissions
freebsd login: pam_start(): system error

Just wondering if this behavior is intentional or if patches to allow login
at the local console upon PAM failure would be welcomed.

Thank you,

Mahmoud Al-Qudsi
NeoSmart Technologies

More information about the freebsd-current mailing list