Bugtraq mailing list archives

Re: Fix for ssh-1.2.27 symlink/bind problem

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Wed, 27 Oct 1999 18:35:56 -0400


Markus Friedl:

Since Solaris 2.3 allowed you to attach (e.g. with gdb) to a
programm running with euid==youruid, Tatu dropped the uid-swapping
code and made ssh fork into two processes.

...

void temporarily_use_uid(uid_t uid)
{
#ifdef SAVED_IDS_WORK_WITH_SETEUID
  saved_euid = geteuid();
  if (seteuid(uid) == -1)
    debug("seteuid %d: %.100s", (int)uid, strerror(errno));
#else


ssh starts up with the unprivileged real UID of the user; therefore
setting the effective UID also to that of the user makes the process
memory accessible for unprivileged access. This is how any reasonable
UNIX system works, not just Solaris.

However, no reasonable UNIX system should allow unprivileged users
to debug a process that runs with real UID == 0, even when the
effective UID is that of the user.  That is the point I have been
making repeatedly in this thread, and now I am tired of making it.

        Wietse

Current thread:

Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
- <Possible follow-ups>
- Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
  - SCO UnixWare 7.1 local root exploit Brock Tellier (Oct 05)
  - Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 06)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Phillip Vandry (Oct 06)
  - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 06)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 25)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 25)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
    - ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
    - Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
    - AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 29)
    - DoS attack for ircd's by oversized PTR record Goblin (Oct 29)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 29)
    - URL Live! 1.0 WebServer UNYUN (Oct 28)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
    - Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 26)
    - Falcon Web Server Advisory (Oct 26)