From owner-freebsd-bugs  Fri May  4  3:12:52 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from Awfulhak.org (awfulhak.demon.co.uk [194.222.196.252])
	by hub.freebsd.org (Postfix) with ESMTP id 2C47537B423
	for <freebsd-bugs@FreeBSD.ORG>; Fri,  4 May 2001 03:12:49 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12])
	by Awfulhak.org (8.11.3/8.11.3) with ESMTP id f44AC7q11630;
	Fri, 4 May 2001 11:12:07 +0100 (BST)
	(envelope-from brian@lan.Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.3/8.11.3) with ESMTP id f44AD1B29165;
	Fri, 4 May 2001 11:13:01 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200105041013.f44AD1B29165@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
To: Peter Pentchev <roam@orbitel.bg>
Cc: Archie Cobbs <archie@packetdesign.com>, freebsd-bugs@FreeBSD.ORG,
	brian@Awfulhak.org
Subject: Re: bin/26996: sshd fails when / mounted read-only 
In-Reply-To: Message from Peter Pentchev <roam@orbitel.bg> 
   of "Fri, 04 May 2001 08:51:33 +0300." <20010504085133.A13382@ringworld.oblivion.bg> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 04 May 2001 11:13:01 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> >  It seems like it should be OK to leave the tty owned by root/wheel
> >  (if that's who owns it) because they are a secure user and group..?
> >  I.e., if either one is broken then you have larger security problems
> >  to worry about.
> 
> It's not just ownership; the permissions have to be changed from
> the default 666, and once you change them, you had better change
> the owner, too, so the logged-in user can actually use his tty..
> 
> Actually, telnetd does have the same weakness: on a read-only filesystem,
> it leaves it to login(1) to change the tty owner/mode, and login(1) fails,
> with just a syslog'd message.  The user *is* logged in, but everyone
> can open his tty for reading and writing.  The difference is that
> sshd refuses to even let the user log in.

Perhaps pty permissions should default to root:wheel/600 ?

> G'luck,
> Peter
> 
> -- 
> Nostalgia ain't what it used to be.

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message