Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Sep 1999 07:57:42 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Warner Losh <imp@village.org>
Cc:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@FreeBSD.ORG
Subject:   Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] 
Message-ID:  <199909301458.HAA94132@cwsys.cwsent.com>
In-Reply-To: Your message of "Wed, 29 Sep 1999 21:56:21 MDT." <199909300356.VAA08428@harmony.village.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
Thread from freebsd-security.

In message <199909300356.VAA08428@harmony.village.org>, Warner Losh 
writes:
> In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett
> Wollman writes:
> : It is an application bug in that temporary files created by
> : applications should always reside in a newly-created directory which
> : is owned by the appropriate user and mode 700.
> 
> Having looking into this more deeply, I agree this is an ssh bug.  It
> needs to verify that /tmp/ssh-user exists, is a directory, and is
> owned by user *BEFORE* trying to bind.  Hacking the kernel to not
> follow symbolic links isn't the best solution here (commits to
> -current not with standing).  It already creates the directoy if it
> doesn't exist...  I'll have to look at the ssh code to see what a
> proper fix is.

It's interesting to note the difference in philosophy between FreeBSD 
and Linux.  Where FreeBSD is concerned with correctness and IMO doing 
the right thing, Linux is concerned with hacking something together 
that works.  Hence differences in rate of development adherence to 
standards.  It's been reported on BUGTRAQ that Linux will have a hack 
in their next kernel to "fix" this SSH bug.  They've also announced 
that they won't be following symlinks on mknod(2) either.

From a security standpoint this looks like it makes sense.  (When I put 
my security administrator's hat on I don't care what I break).  Before 
we go headlong into this, what are the ramifications, e.g. standards, 
etc. of doing this?  (When I put my manager's hat on I need to think 
about the functional and business ramifications).

Maybe what we need to do, after much discussion, is to create a sysctl 
flag or a per user control in login.conf to disable following symlinks 
when creating sockets, device nodes, and maybe even files, e.g. one bit 
in the control byte to control each of these.  Then have it default one 
way or the other, depending on what the FreeBSD community and 
ultimately core wants.

Then there's the people factor.  Giving the average administrator the 
option can lead to disaster.

Then again all of this could be overkill of a very simple problem with 
a very simple solution.

In short I think we need to think about this and discuss it a little 
more before jumping to any conclusions.

Any thoughts?


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909301458.HAA94132>