[12361] in bugtraq
Re: Fix for ssh-1.2.27 symlink/bind problem
daemon@ATHENA.MIT.EDU (Markus Friedl)
Wed Oct 27 15:44:44 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991026220705.A27410@folly.informatik.uni-erlangen.de>
Date: Tue, 26 Oct 1999 22:07:05 +0200
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
X-To: Wietse Venema <wietse@porcupine.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991025230501.34B8E45A7B@spike.porcupine.org>
On Mon, Oct 25, 1999 at 07:05:01PM -0400, Wietse Venema wrote:
> I was talking about seteuid(), which leaves real uid == 0, so that
> the process remains protected against groping by unprivileged users.
all I was trying to say is:
1) ssh _did_ use seteuid() for swapping uids (until version 1.2.12. ossh
and openssh still use seteuid() and are not vulnerable to this attack).
2) post-ssh-1.2.12 uses a different, more complex approach and failes.
