From owner-freebsd-security  Tue Jun 25 12:25:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by hub.freebsd.org (Postfix) with ESMTP id 36B3837B400
	for <security@FreeBSD.ORG>; Tue, 25 Jun 2002 12:25:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5PJP261091980;
	Wed, 26 Jun 2002 07:25:02 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Date: Wed, 26 Jun 2002 07:25:02 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
X-X-Sender: andrew@a2
To: Brian Behlendorf <brian@hyperreal.org>
Cc: Niels Provos <provos@citi.umich.edu>, <security@FreeBSD.ORG>
Subject: Re: UseLogin and openssh-portable priv separation
In-Reply-To: <20020625084414.K310-100000@yez.hyperreal.org>
Message-ID: <20020626071030.A91731-100000@a2>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Tue, 25 Jun 2002, Brian Behlendorf wrote:

> On Tue, 25 Jun 2002, Niels Provos wrote:
> > If you do UseLogin, that means that you will loose privilege
> > separation after authentication.  The Pre-authentication phase is
> > still privilege separated even with UseLogin enabled.
>
> Right, I got that from the man page, but was still slightly unclear: does
> using UseLogin remove the security that prevents the to-be-released
> exploit from being exploitable?  Sounds like it does not remove that
> security, *unless* the attack came from someone who successfully
> authenticated, who could then get root?

As I understand things...

Whether or not you have UseLogin enabled, then a chrooted process run as
user sshd will be forked to handle the authentication stage.  This process
terminates before the session is established.  You should be able to see
this process in your process accounting files with lastcomm if you've
turned the accounting on.

If UseLogin is not enabled, sshd will then fork a process with the
priviledges of the user who is logging in, and this process will be the
parent of the spawned shell or other command, and will persist for the
duration of the connection.

If UseLogin is enabled then sshd won't fork a process owned by the user.
Once the session is started you will see much the same info in ps output
that you did before the new privilege separation was added.

whether this has any bearing on the soon to be relased exploit I obviously
cannot say for certain, but if UseLogin meant that the exploit could still
run, then I imagine Theo would have said so.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message