Matt Zimmerman wrote: > > On Thu, Jan 11, 2001 at 01:42:52AM +0200, Ari Saastamoinen wrote: > > > On Wed, 10 Jan 2001, Pedro Margate wrote: > > > > > install the ssh binary as suid root by default. This can be disabled > > > during configuration or after the fact with chmod. I believe that would > > > > That exploit can use any suid root program which resolves host names. (For > > example ping and traceroute) So you cannot fix that glibc explot only by > > unsetting SUID bit of ssh client. > > Or more properly, an suid root program which resolves host names _while still > holding root privileges_. ping from netkit and traceroute from LBNL do not > fall into this category. fping from SATAN, however, does. > As does OpenSSH, somthing that my patch (attached) fixes. The patch is for OpenSSH 2.3.0p1. Special thanks to Markus Friedl ([EMAIL PROTECTED]) for his help/comments on the patches. Tested on RedHat 7.0. > -- > - mdz > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Andrew Bartlett [EMAIL PROTECTED]
--- ssh.orig Sat Jan 13 12:51:42 2001 +++ ssh.c Sat Jan 13 12:52:02 2001 @@ -611,12 +611,10 @@ rsh_connect(host, options.user, &command); fatal("rsh_connect returned"); } - /* Restore our superuser privileges. */ - restore_uid(); /* - * Open a connection to the remote host. This needs root privileges - * if rhosts_{rsa_}authentication is enabled. + * Open a connection to the remote host. This regains + * root privilages as required. */ ok = ssh_connect(host, &hostaddr, options.port, @@ -625,6 +623,9 @@ !options.rhosts_rsa_authentication, original_real_uid, options.proxy_command); + + /* Restore our superuser privileges. */ + restore_uid(); /* * If we successfully made the connection, load the host private key
--- sshconnect.orig Sat Jan 13 12:51:49 2001 +++ sshconnect.c Sat Jan 13 12:52:01 2001 @@ -96,6 +96,7 @@ char *argv[10]; /* Child. Permanently give up superuser privileges. */ + restore_uid(); permanently_set_uid(original_real_uid); /* Redirect stdin and stdout. */ @@ -155,21 +156,22 @@ */ if (privileged) { int p = IPPORT_RESERVED - 1; + /* Restore our superuser privileges. */ + restore_uid(); sock = rresvport_af(&p, family); + /* Back to normal user. */ + temporarily_use_uid(original_real_uid); if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else debug("Allocated local port %d.", p); } else { /* - * Just create an ordinary socket on arbitrary port. We use - * the user's uid to create the socket. + * Just create an ordinary socket on arbitrary port. */ - temporarily_use_uid(original_real_uid); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); - restore_uid(); } return sock; } @@ -248,11 +250,7 @@ /* Create a socket for connecting. */ sock = ssh_create_socket(original_real_uid, -#ifdef HAVE_CYGWIN !anonymous && port < IPPORT_RESERVED, -#else - !anonymous && geteuid() == 0 && port < IPPORT_RESERVED, -#endif ai->ai_family); if (sock < 0) continue; @@ -261,15 +259,12 @@ * hope that it will help with tcp_wrappers showing * the remote uid as root. */ - temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); - restore_uid(); break; } else { debug("connect: %.100s", strerror(errno)); - restore_uid(); /* * Close the failed socket; there appear to * be some problems when reusing a socket for