Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fix for ssh-1.2.27 symlink/bind problem

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Wed, 6 Oct 1999 11:11:12 -0400

Scott Gifford:

  I don't think it is reasonable to expect user programs to jump
through this many hoops (in my SSH patch, I had to make a temporary
directory, stat the directory, chdir() into it, stat my current
directory, bind() the socket, rename the socket, chdir() back out of
my temp directory, and rmdir() the directory --- 8 additional steps,
and over 60 additional lines of C code) to avoid this.


I disagree - this can and be done and must be be done with little
effort.  Postfix uses UNIX-domain sockets (except on Solaris where
UNIX-domain sockets are too unreliable).  The Postfix listener code
goes like this:

        set_eugid(owner_uid, owner_gid);
        listen_fd = unix_listen(name, backlog, block_mode);
        close_on_exec(listen_fd);
        set_eugid(0, 0);

That's only two extra lines of code to avoid the problem at hand.

Privileged software such as SSH or Postfix must be prepared to
manipulate resources with the proper privilege level. If SSH does
too much as root, it needs to be fixed.


  Further, I think that expecting software authors to realize the
implications of using bind() without these additional maneuverings,
with dire security consequences if they don't, is going to get us
nothing but less secure systems.


This is the second SSH vulnerability involving bind() (the other
one involve port forwarding). They really ought to learn to perform
operations with the right privilege level.

With a little tooling (such as set_eugid()) it is quite easy.

        Wietse
Previous By Date Next
Previous By Thread Next

Current thread: