[3675] in testers
Re: sun4 8.2.4: sshd
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jun 26 12:15:14 1998
Date: Fri, 26 Jun 1998 12:15:06 -0400
From: Greg Hudson <ghudson@MIT.EDU>
To: "Kevin L. Mitchell <klmitch@MIT.EDU>" <klmitch@MIT.EDU>
Cc: testers@MIT.EDU
In-Reply-To: "[3664] in testers"
> so that when xauthority was run, it would create the file
> /tmp/Xauthority.<random>; this would be much more secure than
> putting it in my AFS home directory
Unfortunately, this opens up an attack whereby a malicious user could
create a symlink /tmp/Xauthority.<random>-n pointing to some file you
own and cause you to overwrite it with an xauthority file. This is
fixable in the xauth code (the problem is that xauth uses unlink() and
fopen() instead of unlink() and open(..., O_EXCL)), but we're not
currently in the business of maintaining xauth, so we should look for
other answers. Ones I see are:
* Create a directory /tmp/xauth-$USER and set XAUTHORITY to
/tmp/xauth-$USER/Xauthority. This proposal has the
advantage that we can do it totally in /etc/sshrc running as
the user. (The tricky part is testing that after "mkdir
/tmp/xauth-$USER" that pathname is owned by the user, but we
can use "find" if nothing else.) It has the disadvantage
that a malicious user can prevent users from using X
forwarding by creating files /tmp/xauth-foo.
* Hack sshd to create a directory /var/athena/xauth/$USER and
set XAUTHORITY to /var/athena/xauth/$USER/Xauthority. This
is a little harder, and it raises a cleanup issue, but it
prevents the denial of service attack. We can't,
incidentally, just set XAUTHORITY to something like
/var/athena/xauth/$USER, because xauth uses atomic
replacement, which requires write permission to the
directory $XAUTHORITY lives in.
One variation on both of these schemes is to set XAUTHORITY to end in
Xauthority-<pid>, to keep xauthority files from various login sessions
separate. There's no real point to that, though, since xauth will
happily merge authority values into an existing file. A variation on
the second scheme is to tie it into some hypothetical future per-user
general temporary directory scheme, thus calling the directory
/var/athena/tmp/$USER and setting XAUTHORITY to
/var/athena/tmp/$USER/.Xauthority.
I'll let Dan decide what he wants to do, as the ssh maintainer.
