Date: Wed, 29 Sep 1999 21:30:06 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: imp@village.org (Warner Losh) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Message-ID: <199909300430.VAA22377@gndrsh.dnsmgr.net> In-Reply-To: <199909300401.WAA08495@harmony.village.org> from Warner Losh at "Sep 29, 1999 10:01:49 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes:
> : Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is
> : also "vulnerable" to bind(2) following synlinks during UNIX Domain
> : Socket creation. My question is: Is this an application bug, e.g. not
> : checking for a symlink prior to creating the socket, or would this be
> : an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX
> : Domain Sockets?
>
> FreeBSD should follow symlinks. In fact in the base system we have
> /dev/log which points to /var/run/log.
>
> ssh really needs to be more careful about creating secure unix domain
> sockets. I believe the right algorythm is
>
> if (mkdir("/tmp/ssh-user", 0700)) {
> if (errno == EEXIST) {
> fd = open("/tmp/ssh-user",O_READ);
> if (fd == -1)
> punt!
> if (fchown(fd, user))
> punt!
> if (fchmod(fd, 0700))
> punt!
} else {
punt!
}
> }
> bind("/tmp/ssh-user/socket");
>
> Anything else is asking for trouble...
I had to stare at that code for a while to find out what my brain
was telling me, I knew something wasn't parsing correctly, wanted
to add an else to it, then found the missing }, then found where
I wanted the extra else....
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909300430.VAA22377>