On Wed, Oct 06, 1999 at 11:11:12AM -0400, Wietse Venema wrote:
> This is the second SSH vulnerability involving bind() (the other
> one involve port forwarding). They really ought to learn to perform
> operations with the right privilege level.
>
> With a little tooling (such as set_eugid()) it is quite easy.
please note, that ssh dropped support for uid-swapping beginning
with version 1.2.13:
in order to avoid leakage of the private hostkey (e.g. in core-dumps)
when running suid-root, ssh now forks into 2 processes:
(1) the main process is running setuid root and controls:
(2) the 'userfile' process, which runs with the id of the user and
accesses his files (e.g. over NFS)
i think it is the wrong decision to make 'privileged' the standard
and 'non-privileged' the special case.
please note also, that the two free versions of ssh, ossh by
Bjoern Groenvall <[EMAIL PROTECTED]> and OpenSSH from the OpenBSD-project,
do _not_ exhibit this behaviour, since they are derived from ssh-1.2.12,
the last version of the original ssh, free for commercial use.
