[12136] in bugtraq
Re: Fix for ssh-1.2.27 symlink/bind problem
daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Oct 6 13:44:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19991006151112.72CAD459AD@spike.porcupine.org>
Date: Wed, 6 Oct 1999 11:11:12 -0400
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
X-To: sgifford@TIR.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <m33dvqk6ze.fsf@sgifford.tir.com> from Scott Gifford at "Oct 4,
99 08:04:53 pm"
Scott Gifford:
> I don't think it is reasonable to expect user programs to jump
> through this many hoops (in my SSH patch, I had to make a temporary
> directory, stat the directory, chdir() into it, stat my current
> directory, bind() the socket, rename the socket, chdir() back out of
> my temp directory, and rmdir() the directory --- 8 additional steps,
> and over 60 additional lines of C code) to avoid this.
I disagree - this can and be done and must be be done with little
effort. Postfix uses UNIX-domain sockets (except on Solaris where
UNIX-domain sockets are too unreliable). The Postfix listener code
goes like this:
set_eugid(owner_uid, owner_gid);
listen_fd = unix_listen(name, backlog, block_mode);
close_on_exec(listen_fd);
set_eugid(0, 0);
That's only two extra lines of code to avoid the problem at hand.
Privileged software such as SSH or Postfix must be prepared to
manipulate resources with the proper privilege level. If SSH does
too much as root, it needs to be fixed.
> Further, I think that expecting software authors to realize the
> implications of using bind() without these additional maneuverings,
> with dire security consequences if they don't, is going to get us
> nothing but less secure systems.
This is the second SSH vulnerability involving bind() (the other
one involve port forwarding). They really ought to learn to perform
operations with the right privilege level.
With a little tooling (such as set_eugid()) it is quite easy.
Wietse
