| Summary: | sshd.pid has permissions of 666 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | leanne <njleanne> | ||||||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED FIXED | ||||||||||
| Severity: | security | CC: | dtucker | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 4.7p1 | ||||||||||
| Hardware: | HPPA | ||||||||||
| OS: | HP-UX | ||||||||||
| Bug Depends on: | |||||||||||
| Bug Blocks: | 1452 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 1448 [details]
set umask for PidFile
The other thing you can to do mitigate this is to set your umask to something other the "0".
Created attachment 1449 [details]
for fixing the permission of sshd.pid in the source code
This is a patch made by us, and we have tested it on all the hp-ux platform for 11.11, 11.23 and 11.31, it's ok. we just change the permission of pid file to 644, what do you think the patch (In reply to comment #2) > Created an attachment (id=1449) [details] > for fixing the permission of sshd.pid in the source code Comment on attachment 1449 [details] for fixing the permission of sshd.pid in the source code > fprintf(f, "%ld\n", (long) getpid()); > fclose(f); >+ if (chmod(options.pid_file,0644) == -1) >+ logit("chmod pid file failed"); This is not the best way to handle this as it's racy (ie there's a period between the write and the chmod where the content of the file could be changed). Created attachment 1522 [details]
Ensure sshd's umaske disallows at least group and world write.
This patch has been applied and will be in the next (5.1) release.
Thanks.
Mass update RESOLVED->CLOSED after release of openssh-5.1 |
The sshd.pid under /var/run has the permission of 666, which we think is a security bug. we can see that: # ps -ef |grep sshd root 9341 1 0 Jan 25 ? 0:02 /opt/ssh/sbin/sshd root 640 482 0 10:17:10 pts/ta 0:00 grep sshd # kill 9341 # umask 022 # umask 00 # /opt/ssh/sbin/sshd # ll /var/run/sshd.pid -rw-rw-rw- 1 root sys 4 Jan 28 10:17 sshd.pid so we change the openssh source code as this, pls see the attachment.