On  08/27/2002 20:08:08, Julio Merino <jmmv@hispabsd.org> said:
> Let me explain what do I want to do first. I want to mount / as 
> read-only; though /dev needs to be read-write in some cases (when 
> I do a ssh, it needs to change tty ownerships in /dev). 
(snip)
> What do you think?

I think this is the wrong way of solving this problem. There is no real 
reason why sshd shouldn't be able to run with a read-only /dev. It complains
when it cannot change the ownership of the tty to you, but after all, if
the owner is root, it does not really matters if sshd cannot change the
ownership: it just means root can snoop on your tty, but it was already
able to do it anyway.

Last time I needed to use sshd with a read-only root, I had to patch openssh
so that sshd accepts to log you in when the tty is owned by root, mode 600
and read-only. I committed my patch to our tree and submitted it to the OpenBSD
folks, which accepted it. We had a sshd that was accepting login with a 
read-only filesystem. This was around OpenSSH 2.5.1. The fix is in 
src/crypto/dist/ssh/sshpty.c:pty_setowner()

Unfortunately, when I upgraded to OpenSSH 3.4, I noticed that it does not
work anymore, there is another check somewhere that will prevent login in 
with a tty owned by root, mode 600 and on a read-only filesystem. I plan
to fix this when I'll have some time, but feel free to beat me on this one.

-- 
Emmanuel Dreyfus
manu@netbs.dorg