OpenSSH_2.5.2p2 RH7.0 <- version info

[<zen-parse () gmx net>]

Sorry, I forgot some relevant information.

With regards to previous post:
Tested on:-

Red Hat Linux release 7.0 (Guinness)

[zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd
openssh-server-2.5.2p2-1.7.2
[zen-parse@clarity zen-parse]$ ssh -V
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f

The configuration file has not been modified from the default settings.

Although sshd does drop root privileges, the processes groups are not
cleared. (From /proc/$$/status of the sshd handling the session, and the
output of strace and ltrace. (no use of initgroups in the ltrace output of
the process that creates the directory, although it does do change euid
before hand. there no setgroups in the strace output.))

There may be a race condition for writing the cookie file to any directory
that the groups root has if you can delete the directory and replace it
with a symlink before the file is created, but I haven't tested this.

The file itself is created with O_EXCL so a symlink in place of the file
cannot be used to create/overwrite arbitrary files.

On Redhat 7.0 it appears creation of a file called cookie could be
acheived in only a few places

 /var/lock/subsys
 /var/run/netreport
 /mnt/cdrom
 /mnt/floppy

and any of the world writable directorys.