Hello all,
Stephen Gallagher [2019-01-01 9:14 -0500]:
I had an idea this morning, however. Once Cockpit is started, the
MOTD
provides useful information to all users logging in, so that needs to stay.
The “how to start” message could probably be restricted to showing only to
those users who are known to be capable of starting it (generally, root and
members of the “wheel” group).
I need to test an idea (I’m on holiday today, back in the office tomorrow),
but I think what we could do is set the ownership of the static MOTD to
root:wheel and mode 0640. As long as pam_motd handles permission errors
gracefully, it would only display that message to someone who met that
criteria.
pam_motd should handle absent files gracefully, we already tested it with
dangling symlinks and such. However, it seems pam_motd does not actually run
with the user privileges, but with root's? I tested your idea of making the
file inaccessible (root:wheel 640), but it doesn't work:
| $ ssh test(a)127.0.0.2
| test(a)127.0.0.2's password:
| Activate the web console with: systemctl enable --now cockpit.socket
|
| Last login: Wed Jan 16 05:11:16 2019 from 172.27.0.2
| [test@m1 ~]$ cat /etc/motd.d/cockpit
| cat: /etc/motd.d/cockpit: Permission denied
Martin