I have to run a private copy of sshd (on AIX) as non-root because the local admin won't install the real thing. As non-root, I can't chown() ptys. The sshd function pty_setowner() fails and so does sshd when I try an interactive (shell) login. The chown() should not be attempted if sshd is running as non-root. (All the occurrences of chown() in sshpty.c need this checking.)
can you allocate ptys as non-root?
Yes, the previous (non-open) version of sshd that I compiled and installed on this AIX machine worked fine, even though it couldn't chown the ptys. The AIX ptys are set up this way: acadaix%~[507] ls -l /dev/pts/99 crw-rw-rw- 1 root system 25, 99 Apr 25 2001 /dev/pts/99 You can use them, you just can't chown them!
can other users access the tty and snoop data?
I'm not a pty expert. I don't think you can "snoop" characters from a pty without preventing them from going to the original application. If the pty is opened O_EXCL, I think that locks out anyone else. (Actually, given the documentation below, it seems that only one process can open the control half of the pty even without O_EXCL.) Certainly many unpriv applications manage to use ptys without being root. I just haven't programmed that in a decade or so, so I don't know the current methodology. From the AIX (4.2) pty man page: <start> In AIX Version 4, the pty subsystem uses naming conventions similar to those from UNIX System V. There is one node for the control driver, /dev/ptc, and a maximum number of N nodes for the slave drivers, /dev/pts/n. N is configurable at pty configuration and may be changed dynamically by pty reconfiguration, without closing the opened devices. The control device is set up as a clone device whose major device number is the clone device's major number and whose minor device number is the control driver's major number. There is no node in the filesystem for control devices. A control device can be opened only once, but slave devices can be opened several times. By opening the control device with the /dev/ptc special file, an application can quickly open the control and slave sides of an unused pseudo-terminal. The name of the corresponding slave side can be retrieved using the ttyname subroutine, which always returns the name of the slave side. Implementation Specifics This file is part of Base Operating System (BOS) Runtime. With Berkeley pty subsystems, commands have to search for an unused pseudo-terminal by opening each control side sequentially. The control side could not be opened if it was already in use. Thus, the opens would fail, setting the errno variable to EIO, until an unused pseudo-terminal was found. It is possible to configure the pty subsystem in order to use special files with the BSD pty naming convention: Control devices /dev/pty[p-zA-Z][0-f] Slave devices /dev/tty[p-zA-Z][0-f] These special files are not symbolic links to the AIX special files. The BSD special files are completely separate from the AIX special files. The number of control and slave pair devices using the BSD naming convention is configurable. In version 3 of the operating system, the pty subsystem used two multiplexed special files, /dev/ptc and /dev/pts. These special files no longer exist, but the procedure for opening a pty device is the same. </end> $ ls -l /dev/ptc crw-rw-rw- 1 root system 11, 24 Apr 30 1999 /dev/ptc $ tty /dev/pts/1 $ ls -l /dev/pts/1 crw--w--w- 1 alleni teacher 25, 1 Feb 19 04:27 /dev/pts/1 $ ls -l /dev/pts/99 crw-rw-rw- 1 root system 25, 99 Apr 25 2001 /dev/pts/99
for systems with STREAMS ptys grantpt() calls a set-uid helper program to change pty ownership and modes. with some investigation and rework of pty handling we could potentially use this behaviour for certain platforms.