From owner-freebsd-security@freebsd.org Thu Aug 27 13:27:16 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 174469C4F36 for ; Thu, 27 Aug 2015 13:27:16 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from nimbus.fccf.net (nimbus.fccf.net [77.77.144.35]) by mx1.freebsd.org (Postfix) with ESMTP id C848C353 for ; Thu, 27 Aug 2015 13:27:15 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from straylight.m.ringlet.net (unknown [46.233.30.128]) by nimbus.fccf.net (Postfix) with ESMTPSA id 403C949 for ; Thu, 27 Aug 2015 16:27:07 +0300 (EEST) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 2540212 by straylight.m.ringlet.net (DragonFly Mail Agent v0.9); Thu, 27 Aug 2015 16:27:06 +0300 Date: Thu, 27 Aug 2015 16:27:06 +0300 From: Peter Pentchev To: Borja Marcos Cc: Mike Tancsa , Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh Message-ID: <20150827132706.GB4751@straylight.m.ringlet.net> Mail-Followup-To: Borja Marcos , Mike Tancsa , Dag-Erling =?utf-8?B?U23DuHJncmF2?= , freebsd-security@freebsd.org References: <20150825212749.C154016C9@freefall.freebsd.org> <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no> <55DF0BBD.1080206@sentex.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 13:27:16 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 27, 2015 at 03:19:04PM +0200, Borja Marcos wrote: >=20 > On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote: >=20 > > On 8/27/2015 3:24 AM, Dag-Erling Sm=C3=B8rgrav wrote: > > For the latter two, I am trying to understand in the context of a shared > > hosting system. Could one user with sftp access to their own directory > > use these bugs to gain access to another user's account ? >=20 > Straghtforward Unix permissions aren't really suited to such an applicati= on. You need everything to be > world readable by an unprivileged WWW server.=20 >=20 > In such a setup we were successful by using a combination of mac/biba for= integrity, ugidfw for > effective user separation, and removing all the setuid permissions from t= he system. >=20 > Otherwise, a non-chrooted hosting user will have at least read only acces= s to the neighbors. Hmm, this doesn't necessarily need to be true. When I set up a shared hosting system some years ago, we put all the users in a single primary group, then all their home directories had u+rwx,g-a,o+x Unix access permissions. It seemed to work for keeping them out of each other's homes and for letting both the webserver and the SSH server peek inside. Of course, this would still allow somebody to explicitly modify the access permissions of her own home directory, but, first off, I don't think there ever was such a case, and we also had a periodic check for this as well as some other silly things that people always manage to do (and, yes, "people" here does include myself, too). G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --MW5yreqqjyrRcusr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV3xAqAAoJEGUe77AlJ98TQncP/i9bSDiqWvpCeX0673LYAPe/ c5pOTy/szWtfvVxbyineXout5hpxhkORvmtr7INukNOQMCDYFdZRcvb/IO4Ra7SL 8M3lUn0NAam6unXqqCCkps0E03JYGWR5f+4i+7S/o03IWeKeaAL66z8anGvbsOCa UPhnPtb0V3JdFWxnezRGv3TkibUpO9nkpbf9Syeu+zvHuSnKVTaQwBozQSXmvKUx pXwmLdkFrrp8LWkIoTl9cegdcUDkVYhyoSb0N03eXrGDTbAE5sLsCOt8uMQ/goVu vslTHfh6PTGOkycuVjPVfI6a1eKA4v9Wns9fuoVqyRmvse9IfkhwwGKfPiS9juoA B66r3dPTuELo/tvUSac4h8O00HRR3SBuiJ8CVl1duAvgeor0L+Di2cIacYaySC/g plbhprZNy+YsS6sdSdnnCuWeMVy4lj9Q111o0oxSbX2Cc0XXyHmLfrPjPykj3ai3 7lYS/d1ORtwsY+33vyXhDtiWL6WsOv3fYRUEDDTB6oSMDijqXv4GMlO7M3aP9E53 B5wUaXUR8PZ1NDQ6IQsIsDGTsvS2MvgkwhoayOnAcoJOFKAnlGkK3Pp93/8liGgV pV//WlilmKL9xb/xl+cnQab6cbJaoRhE4tcCgqHQrtCcN1YZSkNjiZYtqe8OH5zV jvY67NKzWPejAGlAnwuj =6Ufg -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr--