Bug#1099699: openssh-server: turn off g+w on terminals by default

To: submit@bugs.debian.org
Subject: Bug#1099699: openssh-server: turn off g+w on terminals by default
From: Chris Hofstaedtler <zeha@debian.org>
Date: Thu, 6 Mar 2025 23:10:52 +0100
Message-id: <[🔎] Z8odbJrAHHTgLkT6@per.namespace.at>
Reply-to: Chris Hofstaedtler <zeha@debian.org>, 1099699@bugs.debian.org

Package: openssh-server
Version: 1:9.9p2-1
Severity: important

Hi!

During the bookworm cycle security concerns were raised about users 
being able to write to other users terminals by default. This 
resulted in CVE-2024-28085 against util-linux and util-linux 
improving the write and wall utilities. But ultimately util-linux 
can only catch the most bad situations, and other programs with 
similar facilities exist.

As a fuller fix, util-linux for trixie has remove write and I 
intended to turn off g+w by default in trixie. This is the 
equivalent of running "mesg n" by default for all users, which was 
already done by default for root in root's default bashrc.

This report comes quite late to you in the trixie cycle, as I 
*thought* a) programs honor TTYPERM in /etc/login.defs or b) at 
least use the default mode set on the /dev/pts mount point, and that 
systemd sets/corrects the mode on that.  Turns out none of this is true.

I've now filed a bug against initramfs-tools to fix the default 
/dev/pts mode. But I've also figured out openssh has its own idea 
and sets 0620 on pseudo-terminals, if group "tty" exists. This does 
not seem to be configurable in any way.

Please find a trivial patch attached to always set 0600 instead.
The patch should work as-is in debian/patches/; I've done a test 
build with it and confirmed it works for me.

I guess the patch is not forwardable as is, but at least would get 
trixie into a secure-by-default state. Please apply it.

Again, sorry for being this late.

Thanks,
Chris

From: Chris Hofstaedtler <zeha@debian.org>
Date: Thu, 6 Mar 2025 22:48:44 +0100
Subject: Deny tty group based write access to users terminals

Apply a fuller fix for CVE-2024-28085 by turning off group write
access on users terminals by default. This is the equivalent of
running "mesg n" for each user, as commonly done for root.

Linux systems supposedly have this configurable in /etc/login.defs
but it turns out all relevant programs just hardcode their own values.

Signed-off-by: Chris Hofstaedtler <zeha@debian.org>

---

diff --git a/sshpty.c b/sshpty.c
index 7870c6482..d62237206 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -175,7 +175,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role)
 	if (grp == NULL)
 		debug("%s: no tty group", __func__);
 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
-	mode = (grp != NULL) ? 0620 : 0600;
+	mode = 0600;

 	/*
 	 * Change owner and mode of the tty as required.

Reply to:

Prev by Date: Bug#1099091: Bug#1098272: openssh-server: Security update 1:9.2p1-2+deb12u5 depends on libssl3 (>= 3.0.15), but that is not in debian security
Next by Date: Stephen Harper's announcement on air took everyone by surprise
Previous by thread: Bug#1099091: Bug#1098272: openssh-server: Security update 1:9.2p1-2+deb12u5 depends on libssl3 (>= 3.0.15), but that is not in debian security
Next by thread: Stephen Harper's announcement on air took everyone by surprise
Index(es):
- Date
- Thread