[12114] in bugtraq
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
daemon@ATHENA.MIT.EDU (Jeff Long)
Tue Oct 5 13:33:10 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37F8D498.6194523B@kestrel.cc.ukans.edu>
Date: Mon, 4 Oct 1999 11:23:52 -0500
Reply-To: Jeff Long <long@KESTREL.CC.UKANS.EDU>
From: Jeff Long <long@KESTREL.CC.UKANS.EDU>
X-To: Chris Keane <Chris.Keane@COMLAB.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Chris Keane wrote:
>
> >>>>> On Thu, 30 Sep 1999, "JL" = Jeff Long wrote:
>
> JL> Seeing the race problems with the previous two patches I thought I
> JL> would take a shot at one. It changes the effective uid/gid to the
> JL> user logging in before doing the bind() (and then resets them after)
> JL> which seems to take care of the problem. [ ... ] The bind() will
> JL> fail if a symlink exists to a file that the user would normally not
> JL> be able to write to (such as /etc/nologin).
>
> Surely this still isn't ideal, though? It now won't overwrite root-owned
> files, so the security hazard isn't there, but anyone on the system can
> still fool a user into overwriting one of his own files, which is not
> great.
From looking at the code it appears that it checks to make sure the
directory the socket is created in is owned by the logging in user.
Thus other users shouldn't be able to cause this problem. If the
directory doesn't exist the patched version creates the directory (as
root) then chowns the directory to the logging in user so I believe only
the user will be able to overwrite their own files (i.e. they would have
to create the symlink themselves to erase their own file).
Jeff Long
