Date: Fri, 04 May 2001 11:13:01 +0100 From: Brian Somers <brian@Awfulhak.org> To: Peter Pentchev <roam@orbitel.bg> Cc: Archie Cobbs <archie@packetdesign.com>, freebsd-bugs@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/26996: sshd fails when / mounted read-only Message-ID: <200105041013.f44AD1B29165@hak.lan.Awfulhak.org> In-Reply-To: Message from Peter Pentchev <roam@orbitel.bg> of "Fri, 04 May 2001 08:51:33 %2B0300." <20010504085133.A13382@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
> > It seems like it should be OK to leave the tty owned by root/wheel
> > (if that's who owns it) because they are a secure user and group..?
> > I.e., if either one is broken then you have larger security problems
> > to worry about.
>
> It's not just ownership; the permissions have to be changed from
> the default 666, and once you change them, you had better change
> the owner, too, so the logged-in user can actually use his tty..
>
> Actually, telnetd does have the same weakness: on a read-only filesystem,
> it leaves it to login(1) to change the tty owner/mode, and login(1) fails,
> with just a syslog'd message. The user *is* logged in, but everyone
> can open his tty for reading and writing. The difference is that
> sshd refuses to even let the user log in.
Perhaps pty permissions should default to root:wheel/600 ?
> G'luck,
> Peter
>
> --
> Nostalgia ain't what it used to be.
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105041013.f44AD1B29165>