Re: sshd -- cannot relabel with system_u:object_r:sshd_devpts_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 13 Apr 2004 11:03, Tom Mitchell <mitch48@xxxxxxxxxxxxx> wrote:
> I just killed a remote terminal window and noted this message triple in the
> log/messages:
>
>     sshd(pam_unix)[30912]: session opened for user root by (uid=0)
>
>     sshd[30912]: Warning!  Could not relabel  with
> system_u:object_r:sshd_devpts_t, not relabeling.

What version of pam do you have installed?  It should not even be trying to 
relabel a pty back to it's original type.  The idea is that if someone 
exploits a copy of sshd we want to make it as difficult as possible to trick 
it into granting access to another user's session.  Allowing sshd to label 
terminals back from userpty_type makes things easier for an attacker.

> If this is what I think it is sshd will slowly run out of available ptys.

I've noticed that 2.6 kernels don't seem to reuse pty numbers until they reach 
some large number.  I don't think that there's any problem of running out of 
available ptys, it seems to handle things the same way in permissive and 
enforcing modes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux