Date: Fri, 4 May 2001 13:14:38 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Brian Somers <brian@Awfulhak.org> Cc: Archie Cobbs <archie@packetdesign.com>, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/26996: sshd fails when / mounted read-only Message-ID: <20010504131438.H13382@ringworld.oblivion.bg> In-Reply-To: <200105041010.f44AAYB29050@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Fri, May 04, 2001 at 11:10:34AM %2B0100 References: <archie@packetdesign.com> <200105041010.f44AAYB29050@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 04, 2001 at 11:10:34AM +0100, Brian Somers wrote: > > > > Also, how come e.g. telnetd doesn't have the same problem? If telnetd > > > > can work why can't sshd? > > > > > > Not immediately sure. > > > > ...so either telnetd has a security hole, or this bug can be fixed > > without lessening security. Either way, we should do something.. :-) > > > > It seems like it should be OK to leave the tty owned by root/wheel > > (if that's who owns it) because they are a secure user and group..? > > I.e., if either one is broken then you have larger security problems > > to worry about. > > I'd tend to agree. The reason the chown is desired is so that things > like mesg(1) work - but in a read-only environment I'd prefer to have > access with no messages than to have no access at all. > > Of course the problem goes away with devfs - that's why I never > complained about this before (despite it irritating me). Uhm.. Maybe I'm misunderstanding something here (I probably am, too :) The way I see things, it's like this: 1. initially: owned by root/wheel, mode rw-rw-rw-. 2. user login: mode changed to 600, so others cannot read/write to her tty; 3. owner changed to the user, so she can open her own tty. I think both steps 2 and 3 are needed - or at least, if 2 is done, 3 is vewwy-vewwy much needed :) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010504131438.H13382>