Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

From: long () KESTREL CC UKANS EDU (Jeff Long)
Date: Mon, 4 Oct 1999 11:23:52 -0500

Chris Keane wrote:



On Thu, 30 Sep 1999, "JL" = Jeff Long wrote:


  JL> Seeing the race problems with the previous two patches I thought I
  JL> would take a shot at one.  It changes the effective uid/gid to the
  JL> user logging in before doing the bind() (and then resets them after)
  JL> which seems to take care of the problem.  [ ... ]  The bind() will
  JL> fail if a symlink exists to a file that the user would normally not
  JL> be able to write to (such as /etc/nologin).

Surely this still isn't ideal, though?  It now won't overwrite root-owned
files, so the security hazard isn't there, but anyone on the system can
still fool a user into overwriting one of his own files, which is not
great.


directory the socket is created in is owned by the logging in user.
Thus other users shouldn't be able to cause this problem.  If the
directory doesn't exist the patched version creates the directory (as
root) then chowns the directory to the logging in user so I believe only
the user will be able to overwrite their own files (i.e. they would have
to create the symlink themselves to erase their own file).

Jeff Long
Previous By Date Next
Previous By Thread Next

Current thread: