From archie@packetdesign.com  Mon Apr 30 13:21:35 2001
Return-Path: <archie@packetdesign.com>
Received: from mailman.packetdesign.com (dns.packetdesign.com [65.192.41.10])
	by hub.freebsd.org (Postfix) with ESMTP id EDC4137B422
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 30 Apr 2001 13:21:33 -0700 (PDT)
	(envelope-from archie@packetdesign.com)
Received: from bubba.packetdesign.com (bubba.packetdesign.com [192.168.0.223])
	by mailman.packetdesign.com (8.11.0/8.11.0) with ESMTP id f3UKLW218859
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 30 Apr 2001 13:21:32 -0700 (PDT)
	(envelope-from archie@packetdesign.com)
Received: (from archie@localhost)
	by bubba.packetdesign.com (8.11.3/8.11.1) id f3UKLVK15344;
	Mon, 30 Apr 2001 13:21:31 -0700 (PDT)
	(envelope-from archie)
Message-Id: <200104302021.f3UKLVK15344@bubba.packetdesign.com>
Date: Mon, 30 Apr 2001 13:21:31 -0700 (PDT)
From: Archie Cobbs <archie@packetdesign.com>
Reply-To: archie@packetdesign.com
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: sshd fails when / mounted read-only
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         26996
>Category:       bin
>Synopsis:       sshd fails when / mounted read-only
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 30 13:30:00 PDT 2001
>Closed-Date:    Sat Jul 12 21:18:43 PDT 2003
>Last-Modified:  Sat Jul 12 21:18:43 PDT 2003
>Originator:     Archie Cobbs
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
Packet Design
>Environment:
System: FreeBSD bubba.packetdesign.com 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Thu Apr 26 15:28:39 PDT 2001 root@bubba.packetdesign.com:/usr/obj/usr/src/sys/BUBBA i386

>Description:

	sshd will not allow login when the root filesystem is mounted
	read-only, because it tries to change user/group ownership of
	a file in /dev.

	Newer sshd handles this IF the uid and gid are already the same
	(see patch:

		http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/pty.c.diff?r1=1.16&r2=1.17

	)

	but this wouldn't fix the problem -- on my system, ssh'ing
	in as root causes the /dev/ttypX entry's user to be that of
	the user and group to be changed from "wheel" to "tty".

>How-To-Repeat:

	- Take a FreeBSD 4.3 system.
	- Set "PermitRootLogin yes" in /etc/ssh/sshd_config
	- Enable/restart sshd
	- Mount the root filesystem read-only
	- Try to ssh login as root from another machine

	This happens to me when trying to login as root, but I'm
	pretty sure it will happen with any other user as well.

>Fix:

	This patch fixes the problem, but may cause other
	security problems (or may not, I'm not sure):

Index: crypto/openssh/pty.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/pty.c,v
retrieving revision 1.2.2.2
diff -u -r1.2.2.2 pty.c
--- crypto/openssh/pty.c	2000/10/28 23:00:49	1.2.2.2
+++ crypto/openssh/pty.c	2001/04/09 21:08:52
@@ -181,9 +181,13 @@
  pty_release(const char *ttyname)
  {
  	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
-		error("chown %.100s 0 0 failed: %.100s", ttyname, 
strerror(errno));
+		if(errno != EROFS)
+			error("chown %.100s 0 0 failed: %.100s",
+			    ttyname, strerror(errno));
  	if (chmod(ttyname, (mode_t) 0666) < 0)
-		error("chmod %.100s 0666 failed: %.100s", ttyname, 
strerror(errno));
+		if(errno != EROFS)
+			error("chmod %.100s 0666 failed: %.100s",
+			    ttyname, strerror(errno));
  }

  /* Makes the tty the processes controlling tty and sets it to sane modes. */
@@ -272,9 +276,11 @@

  	/* Change ownership of the tty. */
  	if (chown(ttyname, pw->pw_uid, gid) < 0)
-		fatal("chown(%.100s, %d, %d) failed: %.100s",
-		    ttyname, pw->pw_uid, gid, strerror(errno));
+		if(errno != EROFS)
+			fatal("chown(%.100s, %d, %d) failed: %.100s",
+			    ttyname, pw->pw_uid, gid, strerror(errno));
  	if (chmod(ttyname, mode) < 0)
-		fatal("chmod(%.100s, 0%o) failed: %.100s",
-		    ttyname, mode, strerror(errno));
+		if(errno != EROFS)
+			fatal("chmod(%.100s, 0%o) failed: %.100s",
+			    ttyname, mode, strerror(errno));
  }

>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@obsecurity.org>
To: Archie Cobbs <archie@packetdesign.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/26996: sshd fails when / mounted read-only
Date: Wed, 2 May 2001 15:11:21 -0700

 --6c2NcOVqGQ03X4Wi
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Mon, Apr 30, 2001 at 01:21:31PM -0700, Archie Cobbs wrote:
 
 > 	This patch fixes the problem, but may cause other
 > 	security problems (or may not, I'm not sure):
 
 In fact it does; if the ownership and permissions of pty devices isn't
 changed it allows any other users on the system to read and write to
 that pty, snooping passwords and the like.  The real solution would be
 to use devfs or mount your /dev on a MFS or something (with a minimal
 static /dev on / to handle bootstrapping).
 
 Kris
 
 --6c2NcOVqGQ03X4Wi
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.5 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE68IYJWry0BWjoQKURAnphAKDGG/iXTGrGqS8mf9LT6nXMNsk9GQCgvpQy
 ySogkCEX/rBlHl3TjkfGD9s=
 =9uek
 -----END PGP SIGNATURE-----
 
 --6c2NcOVqGQ03X4Wi--

From: Archie Cobbs <archie@packetdesign.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/26996: sshd fails when / mounted read-only
Date: Wed, 02 May 2001 15:38:07 -0700

 Kris Kennaway wrote:
 > >       This patch fixes the problem, but may cause other
 > >       security problems (or may not, I'm not sure):
 > 
 > In fact it does; if the ownership and permissions of pty devices isn't
 > changed it allows any other users on the system to read and write to
 > that pty, snooping passwords and the like.  The real solution would be
 > to use devfs or mount your /dev on a MFS or something (with a minimal
 > static /dev on / to handle bootstrapping).
 
 So, how about a flag to sshd to make it allow this behavior with
 suitably strong warnings in the man page?
 
 Also, how come e.g. telnetd doesn't have the same problem? If telnetd
 can work why can't sshd?
 
 -Archie
  
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

From: Kris Kennaway <kris@obsecurity.org>
To: Archie Cobbs <archie@packetdesign.com>
Cc: Kris Kennaway <kris@obsecurity.org>,
	FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/26996: sshd fails when / mounted read-only
Date: Wed, 2 May 2001 18:57:38 -0700

 --AjmyJqqohANyBN/e
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, May 02, 2001 at 03:38:07PM -0700, Archie Cobbs wrote:
 > Kris Kennaway wrote:
 > > >       This patch fixes the problem, but may cause other
 > > >       security problems (or may not, I'm not sure):
 > >=20
 > > In fact it does; if the ownership and permissions of pty devices isn't
 > > changed it allows any other users on the system to read and write to
 > > that pty, snooping passwords and the like.  The real solution would be
 > > to use devfs or mount your /dev on a MFS or something (with a minimal
 > > static /dev on / to handle bootstrapping).
 >=20
 > So, how about a flag to sshd to make it allow this behavior with
 > suitably strong warnings in the man page?
 
 I'm not sure about this..our ssh code is already difficult enough to
 update because of divergences.  It would be up to Brian.
 
 > Also, how come e.g. telnetd doesn't have the same problem? If telnetd
 > can work why can't sshd?
 
 Not immediately sure.
 
 Kris
 --AjmyJqqohANyBN/e
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.5 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE68LsSWry0BWjoQKURAkKkAKCeoBynPjBqAga1nSDeAQEm1z9NKACfSCt9
 QtNxUI8hC6qEXGhBtrZlI+8=
 =3PsB
 -----END PGP SIGNATURE-----
 
 --AjmyJqqohANyBN/e--

From: Archie Cobbs <archie@packetdesign.com>
To: Kris Kennaway <kris@obsecurity.org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/26996: sshd fails when / mounted read-only
Date: Thu, 03 May 2001 16:00:40 -0700

 Kris Kennaway wrote:
 > > Kris Kennaway wrote:
 > > > >       This patch fixes the problem, but may cause other
 > > > >       security problems (or may not, I'm not sure):
 > > >
 > > > In fact it does; if the ownership and permissions of pty devices isn't
 > > > changed it allows any other users on the system to read and write to
 > > > that pty, snooping passwords and the like.  The real solution would be
 > > > to use devfs or mount your /dev on a MFS or something (with a minimal
 > > > static /dev on / to handle bootstrapping).
 > >
 > > So, how about a flag to sshd to make it allow this behavior with
 > > suitably strong warnings in the man page?
 > 
 > I'm not sure about this..our ssh code is already difficult enough to
 > update because of divergences.  It would be up to Brian.
 > 
 > > Also, how come e.g. telnetd doesn't have the same problem? If telnetd
 > > can work why can't sshd?
 > 
 > Not immediately sure.
 
 ...so either telnetd has a security hole, or this bug can be fixed
 without lessening security. Either way, we should do something.. :-)
 
 It seems like it should be OK to leave the tty owned by root/wheel
 (if that's who owns it) because they are a secure user and group..?
 I.e., if either one is broken then you have larger security problems
 to worry about.
 
 -Archie
 
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Mon May 28 17:02:54 PDT 2001 
Responsible-Changed-Why:  
green is the SSH maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26996 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Sat Jul 12 21:18:18 PDT 2003 
State-Changed-Why:  
Fixed in newer versions. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26996 
>Unformatted:
