by mail.netbsd.org with SMTP; 18 Oct 2000 14:16:31 -0000
	id AE17D2A2A; Wed, 18 Oct 2000 10:16:30 -0400 (EDT)
	by orchard.arlington.ma.us (Postfix) with ESMTP
	id 9C3161FCD; Wed, 18 Oct 2000 10:16:30 -0400 (EDT)
To: Andrew Brown <atatat@atatdot.net>
Cc: Atsushi Onoe <onoe@sm.sony.co.jp>, cjs@cynic.net,
	hubert.feyrer@informatik.fh-regensburg.de, tech-security@netbsd.org
Subject: Re: setuid ssh 
In-Reply-To: Message from Andrew Brown <atatat@atatdot.net> 
   of "Wed, 18 Oct 2000 10:00:28 EDT." <20001018100028.B29756@noc.untraceable.net> 
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Wed, 18 Oct 2000 10:16:25 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20001018141630.AE17D2A2A@orchard.arlington.ma.us>

> >if ~backup/.ssh/identity and /etc/ssh_host_key are (effectively)
> >protected the same, all bets are off.
> 
> well...they're both 0700, but one belongs to the user and the other
> belongs to root.

right, but "backup" (in particular) is very likely to be in group
"operator" (so it can back up non-world-readable files by reading the
raw disk), so it has (indirect) read access to /etc/ssh_host_key.

> >(surely you don't actually believe that an attacker can't quietly
> >usurp the host's ip address ..)
> 
> i believe they can, but am placing the difficulty level a little
> higher than breaking into a machine via some other means and obtaining
> root privs (so as to steal all the keys).

If an attacker gets root privs, "game over"... they can replace the
kernel and change the rules of the game.

					- Bill