Bugtraq mailing list archives

Re: Fix for ssh-1.2.27 symlink/bind problem

From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Mon, 4 Oct 1999 10:35:02 +0200


On Sat, Oct 02, 1999 at 06:38:46PM -0400, Scott Gifford wrote:

I've put together a patch that lets ssh work around the OS bug that
allows bind to follow symlinks.


There isn't general consensus that this is an OS bug.  We (as in
FreeBSD) have installed a workaround consisting of blocking symlink
following for the case, but we have not yet decided if we should make
this permanent.

In my opinion, ssh is clearly the buggy party here; not following
symlinks in the OS is just a workaround to avoid buggy programs
causing problems.  We will only do this if we find that there are so
few legitimate consumers of the behaviour that we can change it
without problems - so far, we've only found one consumer, and it is
only of historic interest, being a part of FreeBSD itself (related to
/dev/log creation, IIRC) and only present in old versions.

Eivind.

Current thread:

Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy], (continued)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
  - Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
    - Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
  - Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
  - RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
  - Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Toomas Kiisk (Oct 05)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Olaf Seibert (Oct 04)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
    - Weakness In "The Matrix" Screensaver For Windows Boyce, Nick (Oct 04)
    - Re: Weakness In "The Matrix" Screensaver For Windows Glenn Walker (Oct 05)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Sep 30)
  - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Chris Keane (Oct 01)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Oct 04)
    - Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 04)
    - FireWall-1 weakness? Rosner, D (Oct 04)

(Thread continues...)