[12382] in bugtraq
Re: Fix for ssh-1.2.27 symlink/bind problem
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Fri Oct 29 13:19:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991029155052.C38256@bitbox.follo.net>
Date: Fri, 29 Oct 1999 15:50:52 +0200
Reply-To: Eivind Eklund <eivind@FREEBSD.ORG>
From: Eivind Eklund <eivind@FREEBSD.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991027223556.8299945AF6@spike.porcupine.org>
On Wed, Oct 27, 1999 at 06:35:56PM -0400, Wietse Venema wrote:
> ssh starts up with the unprivileged real UID of the user; therefore
> setting the effective UID also to that of the user makes the process
> memory accessible for unprivileged access. This is how any reasonable
> UNIX system works, not just Solaris.
I disagree. A reasonable system tracks whether a process has ever had
elevated privileges, and deny access to process memory (core dumps,
debugger attachments) if it has had.
If your system doesn't have this behaviour, that should (in my
opinion) be reported to the vendor as a bug.
From the code, it seems FreeBSD has had correct behaviour for this
(for debugging) at least since rev 1.21 of sys/kern/sys_process.c
(1996/01/24, prior to the 2.2 branch). Before that, it looks like
debugger support was optional and rather broken - but I've not taken
the time to dig carefully through ancient history.
Eivind.
