Bug 26996

Summary: sshd fails when / mounted read-only
Product: Base System Reporter: Archie Cobbs <archie>
Component: binAssignee: Brian Feldman <green>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-RELEASE   
Hardware: Any   
OS: Any   

Description Archie Cobbs 2001-04-30 21:30:00 UTC 
	sshd will not allow login when the root filesystem is mounted
	read-only, because it tries to change user/group ownership of
	a file in /dev.

	Newer sshd handles this IF the uid and gid are already the same
	(see patch:

		http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/pty.c.diff?r1=1.16&r2=1.17

	)

	but this wouldn't fix the problem -- on my system, ssh'ing
	in as root causes the /dev/ttypX entry's user to be that of
	the user and group to be changed from "wheel" to "tty".

Fix: This patch fixes the problem, but may cause other
	security problems (or may not, I'm not sure):



/* Makes the tty the processes controlling tty and sets it to sane modes. */
@@ -272,9 +276,11 @@

  	/* Change ownership of the tty. */
  	if (chown(ttyname, pw->pw_uid, gid) < 0)
-		fatal("chown(%.100s, %d, %d) failed: %.100s",
-		    ttyname, pw->pw_uid, gid, strerror(errno));
+		if(errno != EROFS)
+			fatal("chown(%.100s, %d, %d) failed: %.100s",
+			    ttyname, pw->pw_uid, gid, strerror(errno));
  	if (chmod(ttyname, mode) < 0)
-		fatal("chmod(%.100s, 0%o) failed: %.100s",
-		    ttyname, mode, strerror(errno));
+		if(errno != EROFS)
+			fatal("chmod(%.100s, 0%o) failed: %.100s",
+			    ttyname, mode, strerror(errno));
  }--6QBfUmAdKMu91ilZM6o6TnwqpSCQQsNnRkOeE4CnDHL4WAJ5
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: crypto/openssh/pty.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/pty.c,v
retrieving revision 1.2.2.2
diff -u -r1.2.2.2 pty.c
--- crypto/openssh/pty.c	2000/10/28 23:00:49	1.2.2.2
+++ crypto/openssh/pty.c	2001/04/09 21:08:52
@@ -181,9 +181,13 @@
  pty_release(const char *ttyname)
  {
  	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
-		error("chown %.100s 0 0 failed: %.100s", ttyname, 
strerror(errno));
+		if(errno != EROFS)
+			error("chown %.100s 0 0 failed: %.100s",
+			    ttyname, strerror(errno));
  	if (chmod(ttyname, (mode_t) 0666) < 0)
-		error("chmod %.100s 0666 failed: %.100s", ttyname, 
strerror(errno));
+		if(errno != EROFS)
+			error("chmod %.100s 0666 failed: %.100s",
+			    ttyname, strerror(errno));
  }
How-To-Repeat: 
	- Take a FreeBSD 4.3 system.
	- Set "PermitRootLogin yes" in /etc/ssh/sshd_config
	- Enable/restart sshd
	- Mount the root filesystem read-only
	- Try to ssh login as root from another machine

	This happens to me when trying to login as root, but I'm
	pretty sure it will happen with any other user as well.
Comment 1 Kris Kennaway 2001-05-02 23:11:21 UTC 
On Mon, Apr 30, 2001 at 01:21:31PM -0700, Archie Cobbs wrote:

> 	This patch fixes the problem, but may cause other
> 	security problems (or may not, I'm not sure):

In fact it does; if the ownership and permissions of pty devices isn't
changed it allows any other users on the system to read and write to
that pty, snooping passwords and the like.  The real solution would be
to use devfs or mount your /dev on a MFS or something (with a minimal
static /dev on / to handle bootstrapping).

Kris
Comment 2 Archie Cobbs 2001-05-02 23:38:07 UTC 
Kris Kennaway wrote:
> >       This patch fixes the problem, but may cause other
> >       security problems (or may not, I'm not sure):
> 
> In fact it does; if the ownership and permissions of pty devices isn't
> changed it allows any other users on the system to read and write to
> that pty, snooping passwords and the like.  The real solution would be
> to use devfs or mount your /dev on a MFS or something (with a minimal
> static /dev on / to handle bootstrapping).

So, how about a flag to sshd to make it allow this behavior with
suitably strong warnings in the man page?

Also, how come e.g. telnetd doesn't have the same problem? If telnetd
can work why can't sshd?

-Archie
 
__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
Comment 3 Kris Kennaway 2001-05-03 02:57:38 UTC 
On Wed, May 02, 2001 at 03:38:07PM -0700, Archie Cobbs wrote:
> Kris Kennaway wrote:
> > >       This patch fixes the problem, but may cause other
> > >       security problems (or may not, I'm not sure):
> > 
> > In fact it does; if the ownership and permissions of pty devices isn't
> > changed it allows any other users on the system to read and write to
> > that pty, snooping passwords and the like.  The real solution would be
> > to use devfs or mount your /dev on a MFS or something (with a minimal
> > static /dev on / to handle bootstrapping).
> 
> So, how about a flag to sshd to make it allow this behavior with
> suitably strong warnings in the man page?


I'm not sure about this..our ssh code is already difficult enough to
update because of divergences.  It would be up to Brian.

> Also, how come e.g. telnetd doesn't have the same problem? If telnetd
> can work why can't sshd?


Not immediately sure.

Kris
Comment 4 Archie Cobbs 2001-05-04 00:00:40 UTC 
Kris Kennaway wrote:
> > Kris Kennaway wrote:
> > > >       This patch fixes the problem, but may cause other
> > > >       security problems (or may not, I'm not sure):
> > >
> > > In fact it does; if the ownership and permissions of pty devices isn't
> > > changed it allows any other users on the system to read and write to
> > > that pty, snooping passwords and the like.  The real solution would be
> > > to use devfs or mount your /dev on a MFS or something (with a minimal
> > > static /dev on / to handle bootstrapping).
> >
> > So, how about a flag to sshd to make it allow this behavior with
> > suitably strong warnings in the man page?
> 
> I'm not sure about this..our ssh code is already difficult enough to
> update because of divergences.  It would be up to Brian.
> 
> > Also, how come e.g. telnetd doesn't have the same problem? If telnetd
> > can work why can't sshd?
> 
> Not immediately sure.

...so either telnetd has a security hole, or this bug can be fixed
without lessening security. Either way, we should do something.. :-)

It seems like it should be OK to leave the tty owned by root/wheel
(if that's who owns it) because they are a secure user and group..?
I.e., if either one is broken then you have larger security problems
to worry about.

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
Comment 5 Kris Kennaway freebsd_committer freebsd_triage 2001-05-29 01:02:54 UTC 
Responsible Changed
From-To: freebsd-bugs->green

green is the SSH maintainer
Comment 6 Brian Feldman freebsd_committer freebsd_triage 2003-07-13 05:18:18 UTC 
State Changed
From-To: open->closed

Fixed in newer versions.