version 1.60, 1998/02/09 21:56:33 |
version 1.61, 1998/02/14 02:20:37 |
|
|
<a href=http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/readlink/readlink.c?rev=1.13> |
<a href=http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/readlink/readlink.c?rev=1.13> |
revision 1.13 of usr.bin/readlink/readlink.c</a>. |
revision 1.13 of usr.bin/readlink/readlink.c</a>. |
<p> |
<p> |
|
<li><strong>IMPORTANT</strong> |
|
A combination localhost+remote host security problem exists if a |
|
local user running a setuid binary causes a non-existant root .rhosts |
|
file to be created via a symbolic link with a specific kind of corefile, |
|
and then subsequently uses rsh/rlogin to enter the machine from remote. |
|
A similar exploit might also be possible using sshd which lacks any code |
|
for checking for deviations from the expected format in the .rhosts or |
|
.shosts files, but we have not confirmed this yet. The following two |
|
fixes are recommended: |
|
<p> |
|
<ul> |
|
<li> |
|
<a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/nosuidcoredump.patch> |
|
(1) Adds a new sysctl option which permits the adminstrator to decide |
|
whether setuid corefiles should be written or not.</a> |
|
<p> |
|
<li><a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rcmd.patch> |
|
(2) Replaces the ruserok() function in libc with a much more paranoid |
|
version which can detect these bogus looking .rhosts files better. If the |
|
previous patch is used to stop setuid coredumps, then this patch is not |
|
as important.</a> |
|
</ul> |
|
<p> |
|
This problem is fixed much better in OpenBSD-current, where the kernel's |
|
symbolic link handling has been improved such that coredumping will not |
|
create a file on the other side of a symbolic link. Such a patch is not |
|
possible for the 4.4lite1 VFS layer in the OpenBSD 2.2 kernel. |
|
<p> |
</ul> |
</ul> |
<a name=i386></a> |
<a name=i386></a> |
<li><font color=#e00000>i386</font> |
<li><font color=#e00000>i386</font> |