Re: BUG: simple attack when control channel muxing is used

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2014-11-10 at 19:46 +0100, Ángel González wrote: 
> Note that Linux enforces the discretionary permissions set on unix 
> sockets but other
What exactly does that mean?


> I guess the (euid != 0) checkis there in case ssh was root setuid?
Or it's really to exclude root from the check, as  Damien mentioned.

>  It 
> should probably be
> changed to if ((euid != 0 && (getuid() != uid)) && (getuid() != euid)) 
> not to make it so easy
> for a malicious root to use your remote connections (yes, it would need 
> receiving the peer ruid).
Let's see what upstream thinks 



> However, for the attack shown, there's not so much to win from improving 
> the check at the
> socket server side. It should be the connecting ssh (ie. root's) the one 
> verifying that the socket
> is owned by himself.
Yes... let's see what upstream replies :)



Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux