Re: Fix for ssh-1.2.27 symlink/bind problem

[wietse () PORCUPINE ORG (Wietse Venema)]

Markus Friedl:
> On Mon, Oct 25, 1999 at 07:05:01PM -0400, Wietse Venema wrote:
> > I was talking about seteuid(), which leaves real uid == 0, so that
> > the process remains protected against groping by unprivileged users.
>
> all I was trying to say is:
>   1) ssh _did_ use seteuid() for swapping uids (until version 1.2.12. ossh
>      and openssh still use seteuid() and are not vulnerable to this attack).
>   2) post-ssh-1.2.12 uses a different, more complex approach and failes.

I have a comment on your statement that "in order to avoid leakage
of the private hostkey (e.g.  in core-dumps) when running suid-root,
ssh now forks into 2 processes", because this statement could leave
the wrong impression with the reader.

On UNIX, key disclosure via core dumps can be prevented by disabling
core dumps (setrlimit(2)).  Key disclosure via unprivileged access
to process memory can be prevented by keeping a privileged real
UID (ptrace(2), procfs(5)). For key protection, it is unnecessary
to get into the complexity of managing two processes.

This is not a plea to always use variable-privilege software when
the job can be done by a combination of fixed-privilege processes.
But it _is_ a plea to use the right tool in the right place.

The Postfix MTA uses a combination of fixed and variable privileges.
Some processes (notably those interacting with the network) run
with a fixed low privilege. Some processes (notably those interacting
with userland) hang on to their privileged real UID so that they
can perform certain operations with the proper user privileges,
without having to worry about unprivileged users manipulating their
open files/sockets/pipes etc. and thus messing up the mail system.

        Wietse