From owner-freebsd-security Tue Jun 25 12:25:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 36B3837B400 for ; Tue, 25 Jun 2002 12:25:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5PJP261091980; Wed, 26 Jun 2002 07:25:02 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 26 Jun 2002 07:25:02 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brian Behlendorf Cc: Niels Provos , Subject: Re: UseLogin and openssh-portable priv separation In-Reply-To: <20020625084414.K310-100000@yez.hyperreal.org> Message-ID: <20020626071030.A91731-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Brian Behlendorf wrote: > On Tue, 25 Jun 2002, Niels Provos wrote: > > If you do UseLogin, that means that you will loose privilege > > separation after authentication. The Pre-authentication phase is > > still privilege separated even with UseLogin enabled. > > Right, I got that from the man page, but was still slightly unclear: does > using UseLogin remove the security that prevents the to-be-released > exploit from being exploitable? Sounds like it does not remove that > security, *unless* the attack came from someone who successfully > authenticated, who could then get root? As I understand things... Whether or not you have UseLogin enabled, then a chrooted process run as user sshd will be forked to handle the authentication stage. This process terminates before the session is established. You should be able to see this process in your process accounting files with lastcomm if you've turned the accounting on. If UseLogin is not enabled, sshd will then fork a process with the priviledges of the user who is logging in, and this process will be the parent of the spawned shell or other command, and will persist for the duration of the connection. If UseLogin is enabled then sshd won't fork a process owned by the user. Once the session is started you will see much the same info in ps output that you did before the new privilege separation was added. whether this has any bearing on the soon to be relased exploit I obviously cannot say for certain, but if UseLogin meant that the exploit could still run, then I imagine Theo would have said so. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message