[Bug 296] Priv separation does not work on OSF/1
Chris Adams
cmadams at hiwaay.net
Wed Jun 26 05:58:17 EST 2002
Once upon a time, Markus Friedl <markus at openbsd.org> said:
> so something like
>
> > --- ../openssh-3.3/sshd.c Fri Jun 21 01:05:56 2002
> > +++ ./sshd.c Fri Jun 21 21:17:37 2002
> > @@ -596,7 +596,11 @@
> > /* XXX - Remote port forwarding */
> > x_authctxt = authctxt;
> >
> > +#ifdef DEC_OSF...
> > + if (1) {
> > +#else
> > if (authctxt->pw->pw_uid == 0 || options.use_login) {
> > +#endif
> > /* File descriptor passing is broken or root login */
> > monitor_apply_keystate(pmonitor);
> > use_privsep = 0;
> >
>
> could help (it turns of privsep for post-auth, but
> you still get protection against a certain class of attacks).
I can get Tru64 SIA to work if I do something like this (with #ifdef
HAVE_OSF_SIA), because the problem with SIA is trying to do session
setup that requires root access as the sshd user (it needs to be done
after PTY setup/allocation too, so I don't really see how to do it with
post-auth privsep).
Question (if anyone can answer this, maybe in private email): will this
new security bug that is to be announced be pre-auth or post-auth? In
other words, if I don't do post-auth privsep, will I be vulnerable?
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the openssh-unix-dev
mailing list