From owner-freebsd-security Wed Sep 29 21:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id DAA7D1504E for ; Wed, 29 Sep 1999 21:30:33 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA22377; Wed, 29 Sep 1999 21:30:07 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909300430.VAA22377@gndrsh.dnsmgr.net> Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-Reply-To: <199909300401.WAA08495@harmony.village.org> from Warner Losh at "Sep 29, 1999 10:01:49 pm" To: imp@village.org (Warner Losh) Date: Wed, 29 Sep 1999 21:30:06 -0700 (PDT) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <199909291352.GAA31310@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: > : Following is a post to BUGTRAQ. It appears that SSH under FreeBSD is > : also "vulnerable" to bind(2) following synlinks during UNIX Domain > : Socket creation. My question is: Is this an application bug, e.g. not > : checking for a symlink prior to creating the socket, or would this be > : an O/S bug, e.g. FreeBSD should not follow symlinks when creating UNIX > : Domain Sockets? > > FreeBSD should follow symlinks. In fact in the base system we have > /dev/log which points to /var/run/log. > > ssh really needs to be more careful about creating secure unix domain > sockets. I believe the right algorythm is > > if (mkdir("/tmp/ssh-user", 0700)) { > if (errno == EEXIST) { > fd = open("/tmp/ssh-user",O_READ); > if (fd == -1) > punt! > if (fchown(fd, user)) > punt! > if (fchmod(fd, 0700)) > punt! } else { punt! } > } > bind("/tmp/ssh-user/socket"); > > Anything else is asking for trouble... I had to stare at that code for a while to find out what my brain was telling me, I knew something wasn't parsing correctly, wanted to add an else to it, then found the missing }, then found where I wanted the extra else.... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message