From owner-freebsd-security Wed Sep 29 7:39:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 47065151A2 for ; Wed, 29 Sep 1999 07:38:59 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA19248; Wed, 29 Sep 1999 10:38:53 -0400 (EDT) (envelope-from wollman) Date: Wed, 29 Sep 1999 10:38:53 -0400 (EDT) From: Garrett Wollman Message-Id: <199909291438.KAA19248@khavrinen.lcs.mit.edu> To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-Reply-To: <199909291352.GAA31310@cwsys.cwsent.com> References: <199909291352.GAA31310@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is > also "vulnerable" to bind(2) following synlinks during UNIX Domain > Socket creation. My question is: Is this an application bug, e.g. not > checking for a symlink prior to creating the socket, or would this be > an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX > Domain Sockets? Checking for the existence of a symbolic link would simply be a race condition. It is an application bug in that temporary files created by applications should always reside in a newly-created directory which is owned by the appropriate user and mode 700. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message