Bugtraq mailing list archives
Re: Fix for ssh-1.2.27 symlink/bind problem
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Tue, 26 Oct 1999 17:02:59 -0400
Markus Friedl:
On Mon, Oct 25, 1999 at 07:05:01PM -0400, Wietse Venema wrote:I was talking about seteuid(), which leaves real uid == 0, so that the process remains protected against groping by unprivileged users.all I was trying to say is: 1) ssh _did_ use seteuid() for swapping uids (until version 1.2.12. ossh and openssh still use seteuid() and are not vulnerable to this attack). 2) post-ssh-1.2.12 uses a different, more complex approach and failes.
I have a comment on your statement that "in order to avoid leakage of the private hostkey (e.g. in core-dumps) when running suid-root, ssh now forks into 2 processes", because this statement could leave the wrong impression with the reader. On UNIX, key disclosure via core dumps can be prevented by disabling core dumps (setrlimit(2)). Key disclosure via unprivileged access to process memory can be prevented by keeping a privileged real UID (ptrace(2), procfs(5)). For key protection, it is unnecessary to get into the complexity of managing two processes. This is not a plea to always use variable-privilege software when the job can be done by a combination of fixed-privilege processes. But it _is_ a plea to use the right tool in the right place. The Postfix MTA uses a combination of fixed and variable privileges. Some processes (notably those interacting with the network) run with a fixed low privilege. Some processes (notably those interacting with userland) hang on to their privileged real UID so that they can perform certain operations with the proper user privileges, without having to worry about unprivileged users manipulating their open files/sockets/pipes etc. and thus messing up the mail system. Wietse
Current thread:
- Re: Fix for ssh-1.2.27 symlink/bind problem, (continued)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
- ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
- Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
- AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 29)
- DoS attack for ircd's by oversized PTR record Goblin (Oct 29)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 29)
- URL Live! 1.0 WebServer UNYUN (Oct 28)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 26)
- Falcon Web Server Advisory (Oct 26)