Bugtraq mailing list archives
Re: Fix for ssh-1.2.27 symlink/bind problem
From: djast () CS TORONTO EDU (Dan Astoorian)
Date: Tue, 5 Oct 1999 14:35:52 -0400
On Mon, 04 Oct 1999 06:58:42 EDT, Olaf Seibert writes:
On Sat, 2 Oct 1999, Scott Gifford wrote:+ /* OK, now we know we're in the directory we created. Nobody can + * rmdir() this because we are in it. Nobody besides root can have + * made a symlink in here, because they wouldn't have permission. + * Lookin' good... + **/Actually, a directory *can* be rmdir()ed when it some process' current directory. You can try that with a couple of shells for instance. But once the directory is not empty, it cannot be rmdir()ed anymore. Perhaps you can use that fact to your advantage.
I noticed that questionable comment too. I don't believe it's a
problem; the comment is merely imprecise.
If the directory is rmdir()'d, the bind() will just fail (you generally
can't create files or other objects in a directory that's been
rmdir()'d, for largely the same reasons you can't rmdir() a directory
that contains files).
However, the important point is that even if someone does
rmdir /tmp/ssh-${username}/tempbinddir-${time}-${pid}
mkdir /tmp/ssh-${username}/tempbinddir-${time}-${pid}
after sshd does the chdir(), in order to try to replace the directory
with one in which symlink mischief is possible, the newly-created
directory is still not the current working directory of the sshd
process. That, in conjunction with the other checks the patch does,
such as verifying the ownership, permissions, device and inode numbers,
should be sufficient to ensure that the user hasn't tampered with the
directory.
If the rmdir/mkdir above were done *before* the chdir() call, this would
be detected by the ownership checks that the patch performs on "." after
the chdir().
If sshd were to use the full pathname of the directory (or a path that
passed through "..") instead of a simple relative pathname when doing
its checks or calling bind(), that would also be a problem; as far as I
can tell, the patch is handling it correctly.
-- People shouldn't think that it's better to have
Dan Astoorian loved and lost than never loved at all. It's
Sysadmin, CS Lab not, it's better to have loved and won. All
djast () cs toronto edu the other options really suck. --Dan Redican
Current thread:
- Re: Sample DOS against the Sambar HTTP-Server, (continued)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
- Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Toomas Kiisk (Oct 05)
- Re: Fix for ssh-1.2.27 symlink/bind problem Olaf Seibert (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
- Weakness In "The Matrix" Screensaver For Windows Boyce, Nick (Oct 04)
- Re: Weakness In "The Matrix" Screensaver For Windows Glenn Walker (Oct 05)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Chris Keane (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 04)
- FireWall-1 weakness? Rosner, D (Oct 04)
- WIn98 port security query Jay R. Ashworth (Oct 01)