From owner-freebsd-security  Wed Jun 26  6:27:17 2002
Delivered-To: freebsd-security@freebsd.org
Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90])
	by hub.freebsd.org (Postfix) with ESMTP id 9C89C37B405
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 06:27:12 -0700 (PDT)
Received: from aristotle.tamu.edu (localhost [127.0.0.1])
	by aristotle.tamu.edu (8.12.3/8.12.3) with ESMTP id g5QDQb8t090120
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 08:26:37 -0500 (CDT)
	(envelope-from rasmith@aristotle.tamu.edu)
Message-Id: <200206261326.g5QDQb8t090120@aristotle.tamu.edu>
To: freebsd-security@FreeBSD.ORG
Subject: OpenSSH hole
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
Date: Wed, 26 Jun 2002 08:26:37 -0500
From: Robin Smith <rasmith@aristotle.tamu.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Having installed the openssh-portable port on a couple of FreeBSD boxes, I
have a note and a question.

Note:

The port does just about the whole job (creates user/group sshd, dir /var/empty)
and (with the option -D OPENSSH_OVERWRITE_BASE) puts all the stuff in the right
places, except for the sample rc script, which it tries to drop into /usr/etc/rc.d.
Since that's not part of the standard FreeBSD layout, the make then dies (so symlink
/usr/etc->/usr/local/etc).  Otherwise, all I had to do was edit and install the config
files.  

Question:

With privsep on, I see two 'sshd' processes created with each
connection, one owned by root and one by the connecting user.
However, if the connecting user happens to be root (i.e. if
PermitRootLogin is on), then there's no split (and even if there were,
both would be owned by root, of course).  I haven't heard anything
much about how the exploit works, but can someone who knows what the
vulnerability actually is tell me if this means you're still vulnerable
even with 3.3 and privsep if you allow root logins?


Robin Smith              
Department of Philosophy            rasmith@tamu.edu
Texas A&M University                Voice (979) 845-5696
College Station, TX 77843-4237      FAX   (979) 845-0458

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message