From owner-freebsd-security  Wed Sep 29 21: 1:53 1999
Delivered-To: freebsd-security@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id 455E715643
	for <freebsd-security@FreeBSD.ORG>; Wed, 29 Sep 1999 21:01:49 -0700 (PDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA38173;
	Wed, 29 Sep 1999 22:01:48 -0600 (MDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA08495; Wed, 29 Sep 1999 22:01:49 -0600 (MDT)
Message-Id: <199909300401.WAA08495@harmony.village.org>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] 
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: Your message of "Wed, 29 Sep 1999 06:52:24 PDT."
		<199909291352.GAA31310@cwsys.cwsent.com> 
References: <199909291352.GAA31310@cwsys.cwsent.com>  
Date: Wed, 29 Sep 1999 22:01:49 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes:
: Following is a post to BUGTRAQ.  It appears that SSH under FreeBSD is 
: also "vulnerable" to bind(2) following synlinks during UNIX Domain 
: Socket creation.  My question is:  Is this an application bug, e.g. not 
: checking for a symlink prior to creating the socket, or would this be 
: an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX 
: Domain Sockets?

FreeBSD should follow symlinks.  In fact in the base system we have
/dev/log which points to /var/run/log.

ssh really needs to be more careful about creating secure unix domain
sockets.  I believe the right algorythm is

	if (mkdir("/tmp/ssh-user", 0700)) {
		if (errno == EEXIST) {
			fd = open("/tmp/ssh-user",O_READ);
			if (fd == -1)
				punt!
			if (fchown(fd, user))
				punt!
			if (fchmod(fd, 0700))
				punt!
	}
	bind("/tmp/ssh-user/socket");
	
Anything else is asking for trouble...

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message