issue with SE/Linux - sshd not giving access to /dev/pts/[n]

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Jun 1 10:32:14 UTC 2004


On Tue, Jun 01, 2004 at 07:52:29PM +1000, Darren Tucker wrote:
> Luke Kenneth Casson Leighton wrote:
> >but i cannot log in as an ordinary user, and i had to grant
> >special permission to the _user_ process (NOT sshd or pam
> >before a setuid and exec is carried out) to access
> >/dev/pts/0.
> 
> By "user process" do you mean sshd running as the user logging in?  If 
> so, that's probably because of Privilege Separation[1].  Try retesting 
> with "UsePrivilegeSeparation no" in sshd_config.
 
 ah ha!

 let's see.... YEP!  that does it.

 great!

 okay, so now in order to avoid one auditing experience or
 should i say something which requires special permissions to
 be allowed, i have to switch off something that is there for
 security reasons, ho hum.


> When privsep is on, sshd starts running as the user quite early, leaving 
> behind another process (the "monitor") running as root, while the 
> unprivileged sshd does most of the work (network comms, protocol 
> processing, compression and so on).  When the user requests a pty, one 
> is allocated by the monitor (pty allocation is a privileged operation on 
> some platforms) and a descriptor is passed to the unprivileged child 
> (the "slave"), which then forks, makes the pty its controlling tty runs 
> the shell.  This is probably what you're seeing.

 *glurk*...  i actually understood that.

 okay.

 the "expected" behaviour shall we say of the SE/linux auditing rules
 that russell has created is that only the sshd domain (where a
 domain correlates to a process, in this case the "monitor") has
 been given permission to do ioctl and read and write to the
 tty (/dev/pts/NN).

 and the "user" domain, i.e. after a fork() and set(e?)uid() / gid(),
 is most definitely NOT granted permission to read/write to ssh-specific
 ptys because only the sshd domain is allowed that.

 ... russell, et al, is there some way to reflect the above
 into SE/Linux auditing rules?

 l.


> >in other words, if i understand this correctly, there is a
> >bug somewhere in either sshd or pam where control of the
> >tty is given at the wrong point, or is not given at all.
> 
> It's not a bug, it's a Feature.
> 
> [1] http://www.citi.umich.edu/u/provos/ssh/privsep.html

 :)

 ta.

 l.





More information about the Pam-list mailing list