netbsd-bugs: bin/13499: sshd won't allow login if /dev is read-only

Subject: bin/13499: sshd won't allow login if /dev is read-only
To: None <gnats-bugs@gnats.netbsd.org>
From: None <manu@netbsd.org>
List: netbsd-bugs
Date: 07/18/2001 08:56:24
>Number:         13499
>Category:       bin
>Synopsis:       sshd won't allow login if /dev is read-only
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 17 23:54:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD 1.5.1
>Organization:
The NetBSD Project
>Environment:
System: NetBSD melancolie 1.5.1 NetBSD 1.5.1 (MEL2) #0: Thu Jul 12 19:31:01 CEST 2001 root@melancolie:/usr/src/sys/arch/i386/compile/MEL2 i386


>Description:
sshd needs to chown the tty it uses to the connecting user. If the chown 
fails because /dev is read-only, sshd will refuse the connexion.

This is annoying, because it means that if you want ot use sshd when you boot 
off a CDROM, or when you setup a highly secured machine with read-only root
partition, then you have to do a MFS mount for /dev.

Additionnaly, this behavior is not consistent with login's behavior, which will
log you in even if you don't own your tty.


>How-To-Repeat:
Kill enough processes to be able to remount / as read-only (the simpliest way
may be to go to single user). Run sshd, try to connect to the box with a login
other than root.


>Fix:
For sshd: running on a tty owned by someone else is a bad idea, and it's good
that sshd refuses to do this. But we could allow running on a tty owned by root.
Root does not have more privileges on your tty if he owns it, and ttys are 
owned by root by default. Hence if sshd allows login on a root owned tty 
when /dev is read only, it seems to me that there is no security breach, and
sshd will work with read-only /dev.

Here is my suggested patch:

Index: sshpty.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/ssh/sshpty.c,v
retrieving revision 1.1.1.2
diff -U4 -r1.1.1.2 sshpty.c
--- sshpty.c	2001/04/10 07:14:22	1.1.1.2
+++ sshpty.c	2001/07/18 06:43:48
@@ -272,9 +272,10 @@
 		    strerror(errno));
 
 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
 		if (chown(ttyname, pw->pw_uid, gid) < 0) {
-			if (errno == EROFS && st.st_uid == pw->pw_uid)
+			if (errno == EROFS && 
+			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
 				error("chown(%.100s, %d, %d) failed: %.100s",
 				      ttyname, pw->pw_uid, gid,
 				      strerror(errno));
 			else

This patch has also been sent-pr'ed to OpenBSD.

For login: login should implement the same checks, but this is a bit more
complicated since the chown occurs after the point where we assume that 
nothing else will fail and that we are comitted to login. We may have to 
move the chown to an earlier location.
>Release-Note:
>Audit-Trail:
>Unformatted: