Re: Call for testing: OpenSSH 6.8

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Feb 27, 2015 at 9:19 AM, Michael Felt <aixtools@xxxxxxxxx> wrote:
>
> One problem coming directly is that the -L flag (-L/opt/libressl/lib is not
> being included in the -blibpath so the programs link, but do not run.
> I am sure there is a way for me to modify the blibpath - BUT - I ask you do
> consider inserting an openssl-dir path when it is not
> already in the blibpath variable.
>

There's a reason why it isn't: where that directory is writeable by a
non-root user it becomes a vector for local privilege escalation via
OpenSSH's setuid binaries.
http://lists.mindrot.org/pipermail/openssh-unix-dev/2003-April/017768.html

Now that decision was made back in the day when OpenSSL's shared library
support was still considered experimental.  Maybe we could check that the
path is a) absolute and b) system-owned all the way down and add it to
blibpath if both are true.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux