OpenSSH tmp cleanup

Nalin Dahyabhai nalin at redhat.com
Fri Jun 8 10:07:32 EST 2001


On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote:
> did someone check this?

The patch appears to prevent the deletion of wrong files, but it still
looks to me that if a local user can hit the window between the
mkdtemp() and open() calls, he can cause the cookie file to be created
in any directory the superuser can write to.

Would it be safer to create the directory with superuser privileges,
and then change the ownership of the directory to the user's UID after
the cookie file was created?  The sticky bit set on /tmp would keep a
user from being able to play tricks with symlinks....

The post on BugTraq which I saw mentioned that sshd didn't clear its
supplemental groups list at startup time.  Something like this before
the first fork() should fix that:

if (setgroups(0, NULL) < 0)
	if (debug_flag)
		error("setgroups() failed: %.200s", strerror(errno));
	else
		fatal("setgroups() failed: %.200s", strerror(errno));

Cheers,

Nalin



More information about the openssh-unix-dev mailing list