Re: sshd -- cannot relabel with system_u:object_r:sshd_devpts_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 14, 2004 at 12:26:36AM +1000, Russell Coker wrote:
> On Tue, 13 Apr 2004 11:03, Tom Mitchell <mitch48@xxxxxxxxxxxxx> wrote:
> > I just killed a remote terminal window and noted this message triple in the
> > log/messages:
> >
> >     sshd(pam_unix)[30912]: session opened for user root by (uid=0)
> >
> >     sshd[30912]: Warning!  Could not relabel  with
> > system_u:object_r:sshd_devpts_t, not relabeling.
> 
> What version of pam do you have installed?  It should not even be trying to 

    # rpm -qa | grep pam
    pam-0.77-38
    # rpm -q --whatprovides /usr/sbin/sshd
    openssh-server-3.6.1p2-34

> relabel a pty back to it's original type.  The idea is that if someone 
> exploits a copy of sshd we want to make it as difficult as possible to trick 
> it into granting access to another user's session.  Allowing sshd to label 
> terminals back from userpty_type makes things easier for an attacker.
> 
> > If this is what I think it is sshd will slowly run out of available ptys.
> 
> I've noticed that 2.6 kernels don't seem to reuse pty numbers until they reach 
> some large number.  I don't think that there's any problem of running out of 
> available ptys, it seems to handle things the same way in permissive and 
> enforcing modes.

Thanks I am less concerned now. Running out of pty's can take a while
so that end point might have been lightly tested.


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux