| Summary: | [PATCH] Protect rmdir() with temporarily_use_uid() in session.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Erik Sjölund <erik.sjolund> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | enhancement | CC: | djm | ||||
| Priority: | P5 | ||||||
| Version: | 7.9p1 | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 2915 | ||||||
| Attachments: |
|
||||||
AFAIK since we removed the ability to disable privilege separation, I think it's impossible for this code to run with elevated privileges to being with. That being said, as long as the skeleton of the !privsep case remains, we should follow the rules... Thanks - I've committed this and it will be in the OpenSSH 8.0 release closing resolved bugs as of 8.6p1 release |
Created attachment 3243 [details] Protect rmdir() with temporarily_use_uid() in session.c The auth_sock_dir is created by the login user identity but might be removed by the priviledged user at this place in ssh/session.c authsock_err: free(auth_sock_name); if (auth_sock_dir != NULL) { rmdir(auth_sock_dir); free(auth_sock_dir); } It would be better to run the rmdir() system call under the login user identity instead (as implemented in the attached patch protect_rmdir.patch). I don't think it is a security issue though. A symlink race condition will not work because the symlink would have to be at the "/tmp" part of the auth_sock_dir path. (An unpriviledged user can't replace the /tmp with a symlink)