issue with SE/Linux - sshd not giving access to /dev/pts/[n]
Darren Tucker
dtucker at zip.com.au
Tue Jun 1 19:52:29 EST 2004
Luke Kenneth Casson Leighton wrote:
> but i cannot log in as an ordinary user, and i had to grant
> special permission to the _user_ process (NOT sshd or pam
> before a setuid and exec is carried out) to access
> /dev/pts/0.
By "user process" do you mean sshd running as the user logging in? If
so, that's probably because of Privilege Separation[1]. Try retesting
with "UsePrivilegeSeparation no" in sshd_config.
When privsep is on, sshd starts running as the user quite early, leaving
behind another process (the "monitor") running as root, while the
unprivileged sshd does most of the work (network comms, protocol
processing, compression and so on). When the user requests a pty, one
is allocated by the monitor (pty allocation is a privileged operation on
some platforms) and a descriptor is passed to the unprivileged child
(the "slave"), which then forks, makes the pty its controlling tty runs
the shell. This is probably what you're seeing.
> in other words, if i understand this correctly, there is a
> bug somewhere in either sshd or pam where control of the
> tty is given at the wrong point, or is not given at all.
It's not a bug, it's a Feature.
[1] http://www.citi.umich.edu/u/provos/ssh/privsep.html
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list