From owner-freebsd-bugs  Fri May  4  3:10:19 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from Awfulhak.org (awfulhak.demon.co.uk [194.222.196.252])
	by hub.freebsd.org (Postfix) with ESMTP id A67A237B423
	for <freebsd-bugs@FreeBSD.ORG>; Fri,  4 May 2001 03:10:15 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12])
	by Awfulhak.org (8.11.3/8.11.3) with ESMTP id f44A9fq11593;
	Fri, 4 May 2001 11:09:41 +0100 (BST)
	(envelope-from brian@lan.Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.3/8.11.3) with ESMTP id f44AAYB29050;
	Fri, 4 May 2001 11:10:34 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200105041010.f44AAYB29050@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
To: Archie Cobbs <archie@packetdesign.com>
Cc: freebsd-bugs@FreeBSD.ORG, brian@Awfulhak.org
Subject: Re: bin/26996: sshd fails when / mounted read-only 
In-Reply-To: Message from Archie Cobbs <archie@packetdesign.com> 
   of "Thu, 03 May 2001 16:10:03 PDT." <200105032310.f43NA3Y03814@freefall.freebsd.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 04 May 2001 11:10:34 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>  > > Also, how come e.g. telnetd doesn't have the same problem? If telnetd
>  > > can work why can't sshd?
>  > 
>  > Not immediately sure.
>  
>  ...so either telnetd has a security hole, or this bug can be fixed
>  without lessening security. Either way, we should do something.. :-)
>  
>  It seems like it should be OK to leave the tty owned by root/wheel
>  (if that's who owns it) because they are a secure user and group..?
>  I.e., if either one is broken then you have larger security problems
>  to worry about.

I'd tend to agree.  The reason the chown is desired is so that things 
like mesg(1) work - but in a read-only environment I'd prefer to have 
access with no messages than to have no access at all.

Of course the problem goes away with devfs - that's why I never 
complained about this before (despite it irritating me).

>  -Archie
>  
>  __________________________________________________________________________
>  Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message