PTY allocation without being root

Ed Schouten ed at FreeBSD.org
Tue Jul 29 01:49:19 EST 2008 

Hello everyone,

Some of you might already know what I've been doing lately, but I'd
better introduce myself properly: since February this year I've been
working on redesigning the TTY layer for the FreeBSD operating system. I
hope to get my work integrated next month (the 10th of August). The new
TTY layer will have some minor improvements with respect to performance,
but one of the nice features is that we'll finally create/destroy PTY's
on demand.

Creating PTY's on demand gave me an idea: what if we could perform
resource limiting on PTY's? PTY's aren't infinitely available on FreeBSD
(right now we can only allocate 1000, because of UT_LINESIZE). This
means a single user could block other users from logging in, by running:

	for (;;) posix_openpt(O_RDWR|O_NOCTTY);

A couple of weeks ago, I created an experimental patch to add a new
rlimit. Unfortunately, it seemed OpenSSH just ignored the limit, which
only meant one thing: OpenSSH allocates PTY's as root.

Only a few months ago, I visited a talk by Otto Moerbeek about privilege
separation. If I understand OpenSSH's design correctly, we've got two
processes:

- One process running as the user which will be logging in.

- One process running as root, which runs all the operations which
  cannot be performed by the first process.

Allocating PTY's is performed in the second process. It would be nice if
we allocated it in the first process, because we could then perform the
resource limiting. Right now I'm using this patch, which actually seems
to work on my system:

| --- crypto/openssh/session.c
| +++ crypto/openssh/session.c
| @@ -1867,7 +1867,7 @@
|  
|  	/* Allocate a pty and open it. */
|  	debug("Allocating pty.");
| -	if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) {
| +	if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty))) {
|  		if (s->term)
|  			xfree(s->term);
|  		s->term = NULL;

I can imagine this is not the right way to do it. I predict this breaks
badly when the unprivileged process is chroot'ed.

I think a better approach would be to switch to the actual user
somewhere inside pty_allocate(). If we would call openpty() by the
proper user, we wouldn't need functions like pty_setowner(), because
openpty() already sets the proper permissions then.

There's no rush in implementing this, but I think it would be cool if
OpenSSH would honour this behaviour. Thanks!

-- 
 Ed Schouten <ed at FreeBSD.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080728/284e6833/attachment.bin

More information about the openssh-unix-dev mailing list