BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)

Christoph Anton Mitterer calestyo at scientia.net
Tue Nov 11 08:18:26 EST 2014


On Tue, 2014-11-11 at 08:00 +1100, Damien Miller wrote: 
> This behaviour is intentional. root is allowed to connect to users'
> control sockets for a number of reasons.
Even if,... shouldn't it then be properly documented or better:
the checks should be in place per default for root as well, and only
with some additional option ControlMasterConnectUnownedSockets=yes (or
something like this), which defaults to no, root should be allowed to do
this?
I mean most people will likely never need that features you mentioned,
but it happens rather easy that people place such things in /tmp
or /run .

Apart from that, have you seen Ángel's post where he says the check
would happen on the socket server side?
That would of course make any user (not just root) attackable.



> If you want to avoid root connecting to a suspect socket, then ensure
> root's sockets are created in a directory that is not writable by
> untrusted users. I use "ControlPath ~/.ssh/ctl-%C"
Or there should be a StrictModes option like on the sshd side, which
prohibits taking sockets from insecure locations per default.


Cheers,
Chris. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141110/e14e007a/attachment-0001.bin>


More information about the openssh-unix-dev mailing list