[Bug 2969] New: [PATCH] Protect rmdir() with temporarily_use_uid() in session.c
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Feb 12 05:55:10 AEDT 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=2969
Bug ID: 2969
Summary: [PATCH] Protect rmdir() with temporarily_use_uid() in
session.c
Product: Portable OpenSSH
Version: 7.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: erik.sjolund at gmail.com
Created attachment 3243
--> https://bugzilla.mindrot.org/attachment.cgi?id=3243&action=edit
Protect rmdir() with temporarily_use_uid() in session.c
The auth_sock_dir is created by the login user identity but might be
removed by the priviledged user at this place in ssh/session.c
authsock_err:
free(auth_sock_name);
if (auth_sock_dir != NULL) {
rmdir(auth_sock_dir);
free(auth_sock_dir);
}
It would be better to run the rmdir() system call under the login user
identity instead (as implemented in the attached patch
protect_rmdir.patch). I don't think it is a security issue though. A
symlink race condition will not work because the symlink would have to
be at the "/tmp" part of the auth_sock_dir path.
(An unpriviledged user can't replace the /tmp with
a symlink)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list