From owner-freebsd-bugs Wed May 2 19: 0: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D711437B423 for ; Wed, 2 May 2001 19:00:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f43203I20305; Wed, 2 May 2001 19:00:03 -0700 (PDT) (envelope-from gnats) Date: Wed, 2 May 2001 19:00:03 -0700 (PDT) Message-Id: <200105030200.f43203I20305@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Kris Kennaway Subject: Re: bin/26996: sshd fails when / mounted read-only Reply-To: Kris Kennaway Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/26996; it has been noted by GNATS. From: Kris Kennaway To: Archie Cobbs Cc: Kris Kennaway , FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: bin/26996: sshd fails when / mounted read-only Date: Wed, 2 May 2001 18:57:38 -0700 --AjmyJqqohANyBN/e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 02, 2001 at 03:38:07PM -0700, Archie Cobbs wrote: > Kris Kennaway wrote: > > > This patch fixes the problem, but may cause other > > > security problems (or may not, I'm not sure): > >=20 > > In fact it does; if the ownership and permissions of pty devices isn't > > changed it allows any other users on the system to read and write to > > that pty, snooping passwords and the like. The real solution would be > > to use devfs or mount your /dev on a MFS or something (with a minimal > > static /dev on / to handle bootstrapping). >=20 > So, how about a flag to sshd to make it allow this behavior with > suitably strong warnings in the man page? I'm not sure about this..our ssh code is already difficult enough to update because of divergences. It would be up to Brian. > Also, how come e.g. telnetd doesn't have the same problem? If telnetd > can work why can't sshd? Not immediately sure. Kris --AjmyJqqohANyBN/e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68LsSWry0BWjoQKURAkKkAKCeoBynPjBqAga1nSDeAQEm1z9NKACfSCt9 QtNxUI8hC6qEXGhBtrZlI+8= =3PsB -----END PGP SIGNATURE----- --AjmyJqqohANyBN/e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message