Subject: pkg/7080: ${PREFIX}/bin/ssh1 needs to be setuid in ssh-1.2.26
To: None <gnats-bugs@gnats.netbsd.org>
From: David Rankin <drankin@bohemians.lexington.ky.us>
List: netbsd-bugs
Date: 03/03/1999 17:18:31
>Number: 7080
>Category: pkg
>Synopsis: ${PREFIX}/bin/ssh1 needs to be setuid in ssh-1.2.26
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 3 14:35:01 1999
>Last-Modified:
>Originator: David Rankin
>Organization:
Bohemians Unincorporated
>Release: package-19990301
>Environment:
System: NetBSD portia 1.3I NetBSD 1.3I (PORTIA) #1: Wed Feb 24 15:17:00 EST 1999 drankin@oldtom:/usr/src/sys/arch/i386/compile/PORTIA i386
>Description:
When ssh-1.2.26 installs, it doesn't setuid ssh1. In an interactive
environment, ssh willa non-root user, it will fail with calls to initgroups and/or setgroups.
I have exposed this because I have an automated non-root process calling
ssh.
>How-To-Repeat:
Call ssh as a non-root user from a process without a controlling shell.
>Fix:
Comment out this line in ssh's Makefile
CONFIGURE_ARGS+= --disable-suid-ssh
>Audit-Trail:
>Unformatted: