openssh bugs - Feb 2019 - [Bug 2969] New: [PATCH] Protect rmdir() with temporarily_use_uid() in session.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2969

            Bug ID: 2969
           Summary: [PATCH] Protect rmdir() with temporarily_use_uid() in
                    session.c
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: erik.sjolund at gmail.com

Created attachment 3243
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3243&action=edit
Protect rmdir() with temporarily_use_uid() in session.c

The auth_sock_dir is created by the login user identity but might be
removed by the priviledged user at this place in ssh/session.c

authsock_err:
        free(auth_sock_name);
        if (auth_sock_dir != NULL) {
                rmdir(auth_sock_dir);
                free(auth_sock_dir);
        }

It would be better to run the rmdir() system call under the login user
identity instead (as implemented in the attached patch
protect_rmdir.patch). I don't think it is a security issue though. A
symlink race condition will not work because the symlink would have to
be at the "/tmp" part of the auth_sock_dir path. 
(An unpriviledged user can't replace the /tmp with 
a symlink)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2969

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
AFAIK since we removed the ability to disable privilege separation, I
think it's impossible for this code to run with elevated privileges to
being with.

That being said, as long as the skeleton of the !privsep case remains,
we should follow the rules...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2969

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2915
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks - I've committed this and it will be in the OpenSSH 8.0 release


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2969

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.