BUG: simple attack when control channel muxing is used
Christoph Anton Mitterer
calestyo at scientia.net
Tue Nov 11 08:18:20 EST 2014
On Mon, 2014-11-10 at 19:46 +0100, Ángel González wrote:
> Note that Linux enforces the discretionary permissions set on unix
> sockets but other
What exactly does that mean?
> I guess the (euid != 0) checkis there in case ssh was root setuid?
Or it's really to exclude root from the check, as Damien mentioned.
> It
> should probably be
> changed to if ((euid != 0 && (getuid() != uid)) && (getuid() != euid))
> not to make it so easy
> for a malicious root to use your remote connections (yes, it would need
> receiving the peer ruid).
Let's see what upstream thinks
> However, for the attack shown, there's not so much to win from improving
> the check at the
> socket server side. It should be the connecting ssh (ie. root's) the one
> verifying that the socket
> is owned by himself.
Yes... let's see what upstream replies :)
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141110/c6dc26b0/attachment.bin>
More information about the openssh-unix-dev
mailing list