Date: Thu, 7 Jun 2001 23:16:40 +0200 From: Markus Friedl <markus.friedl@informatik.uni-erlangen.de> To: Andreas Haugsnes <andreas@haugsnes.no>, security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010607231640.A4172@folly> In-Reply-To: <20010606143323.G18735@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Jun 06, 2001 at 02:33:23PM %2B0300 References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> <20010606125321.A56634@mithrandr.moria.org> <20010606131130.A26605@consistent.unicore.no> <20010606143323.G18735@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 06, 2001 at 02:33:23PM +0300, Peter Pentchev wrote: > > > Are you using X forwarding? (ie, ssh -X) > > Yes, disabling X forwarding would be an easy workaround. > Can somebody, however, test if the following patch resolves the problem? > It certainly does for me.. > > Well, ok, so there is still a race condition between the stat() and unlink() > in the cleanup procedure.. but since there is no funlink() yet, I do not > really think this one can be resolved :( And besides, there's a *much* > smaller window of opportunity there. i think it's simpler to switch uids when removing the cookie file. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.77&r2=1.80 -m To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010607231640.A4172>