bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-11 18:55 UTC
[Bug 2969] New: [PATCH] Protect rmdir() with temporarily_use_uid() in session.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2969 Bug ID: 2969 Summary: [PATCH] Protect rmdir() with temporarily_use_uid() in session.c Product: Portable OpenSSH Version: 7.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: erik.sjolund at gmail.com Created attachment 3243 --> https://bugzilla.mindrot.org/attachment.cgi?id=3243&action=edit Protect rmdir() with temporarily_use_uid() in session.c The auth_sock_dir is created by the login user identity but might be removed by the priviledged user at this place in ssh/session.c authsock_err: free(auth_sock_name); if (auth_sock_dir != NULL) { rmdir(auth_sock_dir); free(auth_sock_dir); } It would be better to run the rmdir() system call under the login user identity instead (as implemented in the attached patch protect_rmdir.patch). I don't think it is a security issue though. A symlink race condition will not work because the symlink would have to be at the "/tmp" part of the auth_sock_dir path. (An unpriviledged user can't replace the /tmp with a symlink) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-11 22:16 UTC
[Bug 2969] [PATCH] Protect rmdir() with temporarily_use_uid() in session.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2969 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- AFAIK since we removed the ability to disable privilege separation, I think it's impossible for this code to run with elevated privileges to being with. That being said, as long as the skeleton of the !privsep case remains, we should follow the rules... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-22 03:37 UTC
[Bug 2969] [PATCH] Protect rmdir() with temporarily_use_uid() in session.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2969 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Thanks - I've committed this and it will be in the OpenSSH 8.0 release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:10 UTC
[Bug 2969] [PATCH] Protect rmdir() with temporarily_use_uid() in session.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2969 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.