Date: Wed, 29 Sep 1999 22:01:49 -0600 From: Warner Losh <imp@village.org> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Message-ID: <199909300401.WAA08495@harmony.village.org> In-Reply-To: Your message of "Wed, 29 Sep 1999 06:52:24 PDT." <199909291352.GAA31310@cwsys.cwsent.com> References: <199909291352.GAA31310@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes:
: Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is
: also "vulnerable" to bind(2) following synlinks during UNIX Domain
: Socket creation. My question is: Is this an application bug, e.g. not
: checking for a symlink prior to creating the socket, or would this be
: an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX
: Domain Sockets?
FreeBSD should follow symlinks. In fact in the base system we have
/dev/log which points to /var/run/log.
ssh really needs to be more careful about creating secure unix domain
sockets. I believe the right algorythm is
if (mkdir("/tmp/ssh-user", 0700)) {
if (errno == EEXIST) {
fd = open("/tmp/ssh-user",O_READ);
if (fd == -1)
punt!
if (fchown(fd, user))
punt!
if (fchmod(fd, 0700))
punt!
}
bind("/tmp/ssh-user/socket");
Anything else is asking for trouble...
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909300401.WAA08495>