Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

[Chris Keane]

>>>>> On Thu, 30 Sep 1999, "JL" = Jeff Long wrote:

  JL> Seeing the race problems with the previous two patches I thought I
  JL> would take a shot at one.  It changes the effective uid/gid to the
  JL> user logging in before doing the bind() (and then resets them after)
  JL> which seems to take care of the problem.  [ ... ]  The bind() will
  JL> fail if a symlink exists to a file that the user would normally not
  JL> be able to write to (such as /etc/nologin).

Surely this still isn't ideal, though?  It now won't overwrite root-owned
files, so the security hazard isn't there, but anyone on the system can
still fool a user into overwriting one of his own files, which is not
great.

Or have I missed something?

Cheers,
Chris.

------------------------------------------------------------------- ><> ---
    Hardware Compilation Group, Oxford University Computing Laboratory,
            Wolfson Building, Parks Road, Oxford, OX1 3QD, U.K.
    tel:  +44 (1865) (2)73865      e-mail:  [EMAIL PROTECTED]
            http://www.comlab.ox.ac.uk/oucl/users/chris.keane/