Damien Miller <djm@xxxxxxxxxxx> writes: > The memory dump seems in indicate a post-auth process (and possibly > sftp-server/internal-sftp), so it's surprising it could see the > password hash to begin with and it would be highly unlikely to see > anything else that is sensitive. (caveat: my recollection of the privsep model is slightly hazy; is there a whitepaper somewhere?) The unprivileged parent can contain a copy of /etc/shadow from calling getpwnam() at some point before do_setusercontext(). This hypothesis is strengthened by the fact that the passwd line in the dump looks like it has been parsed for use in a struct passwd: the text fields are terminated by NULs instead of colons, but the numeric fields aren't because strtoul() doesn't require it. This passwd line seems to have overwritten a previous, longer passwd line for a user whose home directory (and presumably login) ends with "oe" and who uses zsh instead of bash. However, that process's /proc/*/mem is only readable by root since it started out with root credentials. The most intriguing thing about this dump is that it seems to contain a hex dump of a syslog message from Linux-PAM's pam_unix (starting at 002516d0). I wouldn't be surprised to see the message itself, since this is the same process that called pam_open_session(), but I really wouldn't expect a hex dump of that message. On the whole, I agree that it is most likely a hoax. DES -- Dag-Erling Smørgrav - des@xxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev