[NBLUG/talk] SSH not letting me login

Eric Eisenhart eric at nblug.org
Wed Nov 3 14:28:14 PST 2004


On Wed, Nov 03, 2004 at 06:29:41AM -0800, Dave Sisley wrote:
> I invite any TRUE experts out there to explain why the permissions need 
> to be set this way.  Why should ssh care who can write to my home partition?
> I'd understand if ssh was worried about protecting the .ssh subdirectory 
> inside my homedir.  Shouldn't ssh mind it's own business?

The problem is a race condition, basically.  (as well as the possibility of
other tampering)

If a program is trying to access the file /a/b/c/d and directory "c" and
file "d" are both well protected with proper read-only permissions but
directory "b" is writable by the world, then there's a problem, well, let me
write in pseudocode:

check_perms("d")
filehandle = open("d")
read(filehandle)

Or, if you try to be a little smarter (as you suggested) and check the
directory, too:
check_perms("d")
check_perms("c")
filehandle = open("d")
read(filehandle)

It's possible that an attacker with write access to b could do:
rename("c","c.old")
rename("evildir","c");

in between the times when check_perms and open are run, rendering all the
permissions checking totally useless.  (renaming a file only requires write
access to the directory its in, since in unix the file's "name" is truly a
part of the directory listing and not a part of the file itself)

It's possible to have the code do:
filehandle = open("d")
check_perms(filehandle)

(which guarantees that you're checking the permissions of the file that was
actually opened)  But that doesn't protect against an attacker substituting
a file you own, but didn't intend for this specific purpose.  (say, a sample
authorized_keys file you had in your web directory for people to look at, or
a chunk of some logfile that an attacker influenced into holding the data
they wanted ...)

But, if you take "/a/b/c/d" and check "a", then "b", then "c", then "d" for
only root or the intended user being able to write to them, everything's
good and there's no way a user who isn't already root or the user could've
affected "d" before sshd opened it.

Does all that make sense?
-- 
Eric Eisenhart
NBLUG Co-Founder & Director-At-Large
The North Bay Linux Users Group
http://nblug.org/
eric at nblug.org, IRC: Freiheit at freenode, AIM: falschfreiheit, ICQ: 48217244
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://nblug.org/pipermail/talk/attachments/20041103/173c9a0a/attachment.pgp


More information about the talk mailing list