[12118] in bugtraq
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
daemon@ATHENA.MIT.EDU (Sylvain Robitaille)
Tue Oct 5 13:54:33 1999
Message-Id: <199910041636.MAA07964@alcor.concordia.ca>
Date: Mon, 4 Oct 1999 12:36:59 -0400
Reply-To: Sylvain Robitaille <syl@ALCOR.CONCORDIA.CA>
From: Sylvain Robitaille <syl@ALCOR.CONCORDIA.CA>
X-To: Chris.Keane@COMLAB.OX.AC.UK
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991001193920.1.29734.qmail@userpc16.comlab.ox.ac.uk>
Chris Keane wrote:
> Surely this still isn't ideal, though? It now won't overwrite root-owned
> files, so the security hazard isn't there, but anyone on the system can
> still fool a user into overwriting one of his own files, which is not
> great.
No. The code in newchannels.c checks to make sure that the directory
where the socket is about to be created is owned by the user, and
readable/writable only to this user. A user could create a symbolic
link that points to some file in a directory they already have write
permission to, but that's no big feat. (Existing files aren't
overwritten by bind() either, even when symlinks are followed. If the
symlink target exists, bind() returns "address in use". At least that's
the case on Digital Unix.)
Jeff's patch implements an approach that Dan Astoorian suggested to me
off the list, and we both agree it is a reasonable approach.
--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca
Systems Manager Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
