tech-security: Re: setuid ssh

Subject: Re: setuid ssh
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 10/18/2000 10:20:38
  by mail.netbsd.org with SMTP; 18 Oct 2000 14:20:44 -0000
	by noc.untraceable.net (8.11.1/8.11.1/bonk!) id e9IEKdK00255;
	Wed, 18 Oct 2000 10:20:39 -0400 (EDT)
Date: Wed, 18 Oct 2000 10:20:38 -0400
From: Andrew Brown <atatat@atatdot.net>
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Cc: Atsushi Onoe <onoe@sm.sony.co.jp>, cjs@cynic.net, tech-security@netbsd.org
Subject: Re: setuid ssh
Message-ID: <20001018102038.A145@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <atatat@atatdot.net> <20001018141630.AE17D2A2A@orchard.arlington.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001018141630.AE17D2A2A@orchard.arlington.ma.us>; from sommerfeld@orchard.arlington.ma.us on Wed, Oct 18, 2000 at 10:16:25AM -0400
Return-Receipt-To: receipts@daemon.org

>> >if ~backup/.ssh/identity and /etc/ssh_host_key are (effectively)
>> >protected the same, all bets are off.
>> 
>> well...they're both 0700, but one belongs to the user and the other
>> belongs to root.
>
>right, but "backup" (in particular) is very likely to be in group
>"operator" (so it can back up non-world-readable files by reading the
>raw disk), so it has (indirect) read access to /etc/ssh_host_key.

ah yes.  i forgot about that one.  again.

>> >(surely you don't actually believe that an attacker can't quietly
>> >usurp the host's ip address ..)
>> 
>> i believe they can, but am placing the difficulty level a little
>> higher than breaking into a machine via some other means and obtaining
>> root privs (so as to steal all the keys).
>
>If an attacker gets root privs, "game over"... they can replace the
>kernel and change the rules of the game.

not if you ran the machine in ultrasecure mode with the securelevel
set to 7, and all files set to either immutable or append only.  i
could steal the key in that case, notice that the machine was tough to
crack, and use the key to move on.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."