On Wed, Oct 06, 1999 at 11:11:12AM -0400, Wietse Venema wrote: > This is the second SSH vulnerability involving bind() (the other > one involve port forwarding). They really ought to learn to perform > operations with the right privilege level. > > With a little tooling (such as set_eugid()) it is quite easy. please note, that ssh dropped support for uid-swapping beginning with version 1.2.13: in order to avoid leakage of the private hostkey (e.g. in core-dumps) when running suid-root, ssh now forks into 2 processes: (1) the main process is running setuid root and controls: (2) the 'userfile' process, which runs with the id of the user and accesses his files (e.g. over NFS) i think it is the wrong decision to make 'privileged' the standard and 'non-privileged' the special case. please note also, that the two free versions of ssh, ossh by Bjoern Groenvall <bgat_private> and OpenSSH from the OpenBSD-project, do _not_ exhibit this behaviour, since they are derived from ssh-1.2.12, the last version of the original ssh, free for commercial use.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:43 PDT