From owner-freebsd-security  Thu Jun  7 14:16:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from folly.informatik.uni-erlangen.de (muedi4-145-253-167-223.arcor-ip.net [145.253.167.223])
	by hub.freebsd.org (Postfix) with ESMTP id D55B537B403
	for <security@freebsd.org>; Thu,  7 Jun 2001 14:16:49 -0700 (PDT)
	(envelope-from markus.friedl@informatik.uni-erlangen.de)
Received: by folly.informatik.uni-erlangen.de (Postfix, from userid 31451)
	id 8B4095582; Thu,  7 Jun 2001 23:16:40 +0200 (CEST)
Date: Thu, 7 Jun 2001 23:16:40 +0200
From: Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
To: Andreas Haugsnes <andreas@haugsnes.no>, security@freebsd.org
Subject: Re: [fwd] SSH allows deletion of other users files...
Message-ID: <20010607231640.A4172@folly>
References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> <20010606125321.A56634@mithrandr.moria.org> <20010606131130.A26605@consistent.unicore.no> <20010606143323.G18735@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010606143323.G18735@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Jun 06, 2001 at 02:33:23PM +0300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 06, 2001 at 02:33:23PM +0300, Peter Pentchev wrote:
> > > Are you using X forwarding? (ie, ssh -X)
> 
> Yes, disabling X forwarding would be an easy workaround.
> Can somebody, however, test if the following patch resolves the problem?
> It certainly does for me..
> 
> Well, ok, so there is still a race condition between the stat() and unlink()
> in the cleanup procedure.. but since there is no funlink() yet, I do not
> really think this one can be resolved :(  And besides, there's a *much*
> smaller window of opportunity there.

i think it's simpler to switch uids when removing the cookie file.

	http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.77&r2=1.80

-m

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message