Sorry, I forgot some relevant information. With regards to previous post: Tested on:- Red Hat Linux release 7.0 (Guinness) [zen-parse@clarity zen-parse]$ rpm -qf /usr/sbin/sshd openssh-server-2.5.2p2-1.7.2 [zen-parse@clarity zen-parse]$ ssh -V OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f The configuration file has not been modified from the default settings. Although sshd does drop root privileges, the processes groups are not cleared. (From /proc/$$/status of the sshd handling the session, and the output of strace and ltrace. (no use of initgroups in the ltrace output of the process that creates the directory, although it does do change euid before hand. there no setgroups in the strace output.)) There may be a race condition for writing the cookie file to any directory that the groups root has if you can delete the directory and replace it with a symlink before the file is created, but I haven't tested this. The file itself is created with O_EXCL so a symlink in place of the file cannot be used to create/overwrite arbitrary files. On Redhat 7.0 it appears creation of a file called cookie could be acheived in only a few places /var/lock/subsys /var/run/netreport /mnt/cdrom /mnt/floppy and any of the world writable directorys.
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 10:56:41 PDT