Date: Wed, 29 Sep 1999 22:01:49 -0600 From: Warner Losh <imp@village.org> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Message-ID: <199909300401.WAA08495@harmony.village.org> In-Reply-To: Your message of "Wed, 29 Sep 1999 06:52:24 PDT." <199909291352.GAA31310@cwsys.cwsent.com> References: <199909291352.GAA31310@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: : Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is : also "vulnerable" to bind(2) following synlinks during UNIX Domain : Socket creation. My question is: Is this an application bug, e.g. not : checking for a symlink prior to creating the socket, or would this be : an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX : Domain Sockets? FreeBSD should follow symlinks. In fact in the base system we have /dev/log which points to /var/run/log. ssh really needs to be more careful about creating secure unix domain sockets. I believe the right algorythm is if (mkdir("/tmp/ssh-user", 0700)) { if (errno == EEXIST) { fd = open("/tmp/ssh-user",O_READ); if (fd == -1) punt! if (fchown(fd, user)) punt! if (fchmod(fd, 0700)) punt! } bind("/tmp/ssh-user/socket"); Anything else is asking for trouble... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909300401.WAA08495>