From owner-freebsd-security@freebsd.org  Thu Aug 27 13:19:10 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E91729C4AB1
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu, 27 Aug 2015 13:19:10 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com
 [195.16.151.151])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A6A9C1518
 for <freebsd-security@freebsd.org>; Thu, 27 Aug 2015 13:19:09 +0000 (UTC)
 (envelope-from borjam@sarenet.es)
Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11])
 by proxypop01.sare.net (Postfix) with ESMTPSA id 1F71E9DDD11;
 Thu, 27 Aug 2015 15:19:05 +0200 (CEST)
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset=iso-8859-1
From: Borja Marcos <borjam@sarenet.es>
In-Reply-To: <55DF0BBD.1080206@sentex.net>
Date: Thu, 27 Aug 2015 15:19:04 +0200
Cc: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>,
 freebsd-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF0C7D98-5561-47DB-9AAB-1046C6638F7C@sarenet.es>
References: <20150825212749.C154016C9@freefall.freebsd.org>
 <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no>
 <55DF0BBD.1080206@sentex.net>
To: Mike Tancsa <mike@sentex.net>
X-Mailer: Apple Mail (2.1283)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 13:19:11 -0000


On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote:

> On 8/27/2015 3:24 AM, Dag-Erling Sm=F8rgrav wrote:
> For the latter two, I am trying to understand in the context of a =
shared
> hosting system. Could one user with sftp access to their own directory
> use these bugs to gain access to another user's account ?

Straghtforward Unix permissions aren't really suited to such an =
application. You need everything to be
world readable by an unprivileged WWW server.=20

In such a setup we were successful by using a combination of mac/biba =
for integrity, ugidfw for
effective user separation, and removing all the setuid permissions from =
the system.

Otherwise, a non-chrooted hosting user will have at least read only =
access to the neighbors.





Borja.