From owner-freebsd-security Thu Sep 30 7:58:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 51B4A150CF for ; Thu, 30 Sep 1999 07:58:35 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA30957; Thu, 30 Sep 1999 07:58:35 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda30955; Thu Sep 30 07:58:15 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA94132; Thu, 30 Sep 1999 07:58:13 -0700 (PDT) Message-Id: <199909301458.HAA94132@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ94128; Thu Sep 30 07:57:43 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Warner Losh Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] In-reply-to: Your message of "Wed, 29 Sep 1999 21:56:21 MDT." <199909300356.VAA08428@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Sep 1999 07:57:42 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thread from freebsd-security. In message <199909300356.VAA08428@harmony.village.org>, Warner Losh writes: > In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett > Wollman writes: > : It is an application bug in that temporary files created by > : applications should always reside in a newly-created directory which > : is owned by the appropriate user and mode 700. > > Having looking into this more deeply, I agree this is an ssh bug. It > needs to verify that /tmp/ssh-user exists, is a directory, and is > owned by user *BEFORE* trying to bind. Hacking the kernel to not > follow symbolic links isn't the best solution here (commits to > -current not with standing). It already creates the directoy if it > doesn't exist... I'll have to look at the ssh code to see what a > proper fix is. It's interesting to note the difference in philosophy between FreeBSD and Linux. Where FreeBSD is concerned with correctness and IMO doing the right thing, Linux is concerned with hacking something together that works. Hence differences in rate of development adherence to standards. It's been reported on BUGTRAQ that Linux will have a hack in their next kernel to "fix" this SSH bug. They've also announced that they won't be following symlinks on mknod(2) either. From a security standpoint this looks like it makes sense. (When I put my security administrator's hat on I don't care what I break). Before we go headlong into this, what are the ramifications, e.g. standards, etc. of doing this? (When I put my manager's hat on I need to think about the functional and business ramifications). Maybe what we need to do, after much discussion, is to create a sysctl flag or a per user control in login.conf to disable following symlinks when creating sockets, device nodes, and maybe even files, e.g. one bit in the control byte to control each of these. Then have it default one way or the other, depending on what the FreeBSD community and ultimately core wants. Then there's the people factor. Giving the average administrator the option can lead to disaster. Then again all of this could be overkill of a very simple problem with a very simple solution. In short I think we need to think about this and discuss it a little more before jumping to any conclusions. Any thoughts? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message