bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 02:56 UTC
[Bug 1433] New: sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Summary: sshd.pid has permissions of 666
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: HPPA
OS/Version: HP-UX
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: njleanne at hotmail.com
The sshd.pid under /var/run has the permission of 666, which we think
is a security bug.
we can see that:
# ps -ef |grep sshd
root 9341 1 0 Jan 25 ? 0:02 /opt/ssh/sbin/sshd
root 640 482 0 10:17:10 pts/ta 0:00 grep sshd
# kill 9341
# umask
022
# umask 00
# /opt/ssh/sbin/sshd
# ll /var/run/sshd.pid
-rw-rw-rw- 1 root sys 4 Jan 28 10:17 sshd.pid
so we change the openssh source code as this, pls see the attachment.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 05:24 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2008-01-28 16:24:37 --- Created an attachment (id=1448) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1448) set umask for PidFile The other thing you can to do mitigate this is to set your umask to something other the "0". -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 06:03 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433 --- Comment #2 from leanne <njleanne at hotmail.com> 2008-01-28 17:03:12 --- Created an attachment (id=1449) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1449) for fixing the permission of sshd.pid in the source code -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 06:07 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433 --- Comment #3 from leanne <njleanne at hotmail.com> 2008-01-28 17:07:19 --- This is a patch made by us, and we have tested it on all the hp-ux platform for 11.11, 11.23 and 11.31, it's ok. we just change the permission of pid file to 644, what do you think the patch (In reply to comment #2)> Created an attachment (id=1449)--> (http://bugzilla.mindrot.org/attachment.cgi?id=1449) [details]> for fixing the permission of sshd.pid in the source code-- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 06:28 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2008-01-28 17:28:22 --- (From update of attachment 1449)> fprintf(f, "%ld\n", (long) getpid()); > fclose(f); >+ if (chmod(options.pid_file,0644) == -1) >+ logit("chmod pid file failed");This is not the best way to handle this as it's racy (ie there's a period between the write and the chmod where the content of the file could be changed). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-28 06:29 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Blocks| |1353
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Mar-31 04:09 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|1353 |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Mar-31 04:11 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1452
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-14 17:34 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1448|0 |1
is obsolete| |
Attachment #1449|0 |1
is obsolete| |
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2008-06-15
03:34:35 ---
Created an attachment (id=1522)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1522)
Ensure sshd's umaske disallows at least group and world write.
This patch has been applied and will be in the next (5.1) release.
Thanks.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-14 17:35 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-22 02:20 UTC
[Bug 1433] sshd.pid has permissions of 666
https://bugzilla.mindrot.org/show_bug.cgi?id=1433
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> 2008-07-22
12:20:46 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.