Bugtraq mailing list archives
Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
From: long () KESTREL CC UKANS EDU (Jeff Long)
Date: Mon, 4 Oct 1999 11:23:52 -0500
Chris Keane wrote:
On Thu, 30 Sep 1999, "JL" = Jeff Long wrote:JL> Seeing the race problems with the previous two patches I thought I JL> would take a shot at one. It changes the effective uid/gid to the JL> user logging in before doing the bind() (and then resets them after) JL> which seems to take care of the problem. [ ... ] The bind() will JL> fail if a symlink exists to a file that the user would normally not JL> be able to write to (such as /etc/nologin). Surely this still isn't ideal, though? It now won't overwrite root-owned files, so the security hazard isn't there, but anyone on the system can still fool a user into overwriting one of his own files, which is not great.
directory the socket is created in is owned by the logging in user. Thus other users shouldn't be able to cause this problem. If the directory doesn't exist the patched version creates the directory (as root) then chowns the directory to the logging in user so I believe only the user will be able to overwrite their own files (i.e. they would have to create the symlink themselves to erase their own file). Jeff Long
Current thread:
- Re: Fix for ssh-1.2.27 symlink/bind problem, (continued)
- Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
- Weakness In "The Matrix" Screensaver For Windows Boyce, Nick (Oct 04)
- Re: Weakness In "The Matrix" Screensaver For Windows Glenn Walker (Oct 05)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Chris Keane (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Sylvain Robitaille (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 04)
- FireWall-1 weakness? Rosner, D (Oct 04)
- WIn98 port security query Jay R. Ashworth (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Chris Keane (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)