On 8/27/2015 3:24 AM, Dag-Erling Sm?rgrav wrote:> Mike Tancsa <mike at sentex.net> writes: >> I know RELENG_8 is no longer supported, but does this issue impact >> FreeBSD 8.x ? > > Note that of the three issues mentioned here, one is not exploitable by > an attacker and the other two presuppose a compromised pre-auth child.For the latter two, I am trying to understand in the context of a shared hosting system. Could one user with sftp access to their own directory use these bugs to gain access to another user's account ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On Aug 27, 2015, at 3:08 PM, Mike Tancsa wrote:> On 8/27/2015 3:24 AM, Dag-Erling Sm?rgrav wrote: > For the latter two, I am trying to understand in the context of a shared > hosting system. Could one user with sftp access to their own directory > use these bugs to gain access to another user's account ?Straghtforward Unix permissions aren't really suited to such an application. You need everything to be world readable by an unprivileged WWW server. In such a setup we were successful by using a combination of mac/biba for integrity, ugidfw for effective user separation, and removing all the setuid permissions from the system. Otherwise, a non-chrooted hosting user will have at least read only access to the neighbors. Borja.
Dag-Erling Smørgrav
2015-Aug-27 13:50 UTC
FreeBSD Security Advisory FreeBSD-SA-15:22.openssh
Mike Tancsa <mike at sentex.net> writes:> For the latter two, I am trying to understand in the context of a shared > hosting system. Could one user with sftp access to their own directory > use these bugs to gain access to another user's account ?Once again: both of these are attacks on the main sshd process by the unprivileged child provess, so the attacker first has to gain control of said child using some other vulnerability. There is currently no known way to exploit them. The reason why an advisory was issued is that by definition, the unprivileged child is assumed to be hostile. http://blog.des.no/2015/08/openssh-pam-and-user-names/ DES -- Dag-Erling Sm?rgrav - des at des.no