BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)
Christoph Anton Mitterer
calestyo at scientia.net
Tue Nov 11 05:41:02 EST 2014
On Mon, 2014-11-10 at 13:28 -0500, Stephen Frost wrote:
> Should there be a hard-link count check also..? Haven't really thought
> it all the way through, but that's a common thing to check also..
hmm not sure if that helps anything...
A normal user cannot create hardlinks on files owned by other users,
right?
So if the owner check already shows that the socket belongs to the
current user, then no on (but a evil root) could have created such
hardlink, except the user itself.
And since no one but root can chown the owern of a file, it should
neither work, that a evil userB creates a mux socket, hardlinks it and
then changes the owner to good userA of one of the hardlinks.
Or am I wrong? (I'm truly no expert in these kind of filesystem level
hacks)
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141110/535f3b19/attachment.bin>
More information about the openssh-unix-dev
mailing list