Date: Tue, 25 Jun 2002 12:42:28 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: deraadt@cvs.openbsd.org (Theo de Raadt) Cc: nectar@FreeBSD.ORG (Jacques A. Vidrine), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <200206250242.MAA08539@caligula.anu.edu.au> In-Reply-To: <200206250146.g5P1kXLI030924@cvs.openbsd.org> from "Theo de Raadt" at Jun 24, 2002 07:46:33 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Theo de Raadt, sie said: > > > What I like least about this new bug is that the workaround is to use > > a new feature called "Priviledge Separation". Maybe it wouldn't have > > mattered what the "next new bug" was, this would just have been one > > defence. The timing is quite ironic. > > Yes, and you know all about ironic timing > > > The paranoia in me is screaming to resist and I can't help but ponder, > > does enabling priviledge separation disable the exploit or does it just > > limit it to the userid sshd runs as in this mode ? > > Darren, resist enabling privsep. I cannot find strong enough enough > words in urging you. > > > Can an attacker still get a remote shell (just not root) if priviledge > > separation is enabled ? > > Duh. If that's the case then I think I'll just turn off openssh(d) until I can secure it properly, when the patch is released. I'd like to recommend others do the same but that'll depend on your networks and whether they can live without that sort of remote access for a week or so. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250242.MAA08539>