issue with SE/Linux - sshd not giving access to /dev/pts/[n]

Russell Coker russell at coker.com.au
Wed Jun 2 16:31:50 EST 2004


On Tue, 1 Jun 2004 19:03, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> i have an issue on my newly created Debian/SELinux/unstable system.
>
> i have pam 0.77 se1 installed
> ssh            3.8.1p1-4      (OpenSSH)
> and libselinux1 1.12-1.
>
> i can log in as root, fine.
>
> but i cannot log in as an ordinary user, and i had to grant
> special permission to the _user_ process (NOT sshd or pam
> before a setuid and exec is carried out) to access
> /dev/pts/0.
>
> in other words, if i understand this correctly, there is a
> bug somewhere in either sshd or pam where control of the
> tty is given at the wrong point, or is not given at all.

When you login the terminal must be given a type label that permits you access 
to it.  Otherwise you can't access your terminal and get logged out.

There is a bug in the SE Linux pam code or in sshd which results in the 
terminal not being correctly relabelled in some situations.  Someone (maybe 
you) needs to debug this.  I would guess that the PAM code is doing the wrong 
thing, the PAM code in question is in Fedora and in my repository for SE 
Linux Debian packages.  It is not in the main-line PAM distribution because 
nothing happens there.

So asking the pam-list is not going to do any good because probably no-one on 
that list has even seen the code in question.  Same goes for the ssh list.

Best to just debug the code yourself.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




More information about the openssh-unix-dev mailing list