[Bug 2969] New: [PATCH] Protect rmdir() with temporarily_use_uid() in session.c

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Feb 12 05:55:10 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2969

            Bug ID: 2969
           Summary: [PATCH] Protect rmdir() with temporarily_use_uid() in
                    session.c
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: erik.sjolund at gmail.com

Created attachment 3243
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3243&action=edit
Protect rmdir() with temporarily_use_uid() in session.c

The auth_sock_dir is created by the login user identity but might be
removed by the priviledged user at this place in ssh/session.c

authsock_err:
        free(auth_sock_name);
        if (auth_sock_dir != NULL) {
                rmdir(auth_sock_dir);
                free(auth_sock_dir);
        }

It would be better to run the rmdir() system call under the login user
identity instead (as implemented in the attached patch
protect_rmdir.patch). I don't think it is a security issue though. A
symlink race condition will not work because the symlink would have to
be at the "/tmp" part of the auth_sock_dir path. 
(An unpriviledged user can't replace the /tmp with 
a symlink)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list