[12096] in bugtraq
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
daemon@ATHENA.MIT.EDU (Chris Keane)
Sun Oct 3 22:19:37 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991001193920.1.29734.qmail@userpc16.comlab.ox.ac.uk>
Date: Fri, 1 Oct 1999 19:39:20 +0100
Reply-To: Chris Keane <Chris.Keane@COMLAB.OX.AC.UK>
From: Chris Keane <Chris.Keane@COMLAB.OX.AC.UK>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <37F3E326.8A5407A8@kestrel.cc.ukans.edu> (Thu, 30 Sep 1999
17:24:38 CDT)
>>>>> On Thu, 30 Sep 1999, "JL" = Jeff Long wrote:
JL> Seeing the race problems with the previous two patches I thought I
JL> would take a shot at one. It changes the effective uid/gid to the
JL> user logging in before doing the bind() (and then resets them after)
JL> which seems to take care of the problem. [ ... ] The bind() will
JL> fail if a symlink exists to a file that the user would normally not
JL> be able to write to (such as /etc/nologin).
Surely this still isn't ideal, though? It now won't overwrite root-owned
files, so the security hazard isn't there, but anyone on the system can
still fool a user into overwriting one of his own files, which is not
great.
Or have I missed something?
Cheers,
Chris.
------------------------------------------------------------------- ><> ---
Hardware Compilation Group, Oxford University Computing Laboratory,
Wolfson Building, Parks Road, Oxford, OX1 3QD, U.K.
tel: +44 (1865) (2)73865 e-mail: Chris.Keane@comlab.ox.ac.uk
http://www.comlab.ox.ac.uk/oucl/users/chris.keane/
