Markus Friedl: > On Mon, Oct 25, 1999 at 07:05:01PM -0400, Wietse Venema wrote: > > I was talking about seteuid(), which leaves real uid == 0, so that > > the process remains protected against groping by unprivileged users. > > all I was trying to say is: > 1) ssh _did_ use seteuid() for swapping uids (until version 1.2.12. ossh > and openssh still use seteuid() and are not vulnerable to this attack). > 2) post-ssh-1.2.12 uses a different, more complex approach and failes. I have a comment on your statement that "in order to avoid leakage of the private hostkey (e.g. in core-dumps) when running suid-root, ssh now forks into 2 processes", because this statement could leave the wrong impression with the reader. On UNIX, key disclosure via core dumps can be prevented by disabling core dumps (setrlimit(2)). Key disclosure via unprivileged access to process memory can be prevented by keeping a privileged real UID (ptrace(2), procfs(5)). For key protection, it is unnecessary to get into the complexity of managing two processes. This is not a plea to always use variable-privilege software when the job can be done by a combination of fixed-privilege processes. But it _is_ a plea to use the right tool in the right place. The Postfix MTA uses a combination of fixed and variable privileges. Some processes (notably those interacting with the network) run with a fixed low privilege. Some processes (notably those interacting with userland) hang on to their privileged real UID so that they can perform certain operations with the proper user privileges, without having to worry about unprivileged users manipulating their open files/sockets/pipes etc. and thus messing up the mail system. Wietse
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:52 PDT