Date: Sat, 8 Jul 2000 06:42:36 -0400 (EDT) From: Brian Fundakowski Feldman <green@FreeBSD.org> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: Wes Morgan <morganw@chemicals.tacorp.com>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh sshd.c Message-ID: <Pine.BSF.4.21.0007080640210.2603-100000@green.dyndns.org> In-Reply-To: <xzp66qgud0w.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8 Jul 2000, Dag-Erling Smorgrav wrote:
> Wes Morgan <morganw@chemicals.tacorp.com> writes:
> > I hope that there is no way ever in 1e6 years that someone will be able to
> > subvert /proc/curproc and get sshd to execute the program of his choice as
> > root when it gets HUP'd. I can't think of any way possible, but there are
> > 6 billion people out there besides me.
>
> Well, for starters, /proc might not be mounted, and an 3v1l h4xx0r
> might be able to trick a root-owned process into creating
> /proc/curproc/file.
Your root directory should not be world writable. If the cracker could
trick a process into unmounting /proc and making it so that the sshd
could be subverted, {,s}he could just as easily have done whatever root
thing they wanted to do in the first place. This change has no effect
at all on security.
> DES
> --
> Dag-Erling Smorgrav - des@flood.ping.uio.no
--
Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
green@FreeBSD.org `------------------------------'
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007080640210.2603-100000>