From ceder@lysator.liu.se Fri Nov 17 00:13:52 2000 Received: from proton.lysator.liu.se (proton.lysator.liu.se [130.236.254.69]) by mail.lysator.liu.se (Postfix) with ESMTP id 19EBE2407DEE; Fri, 17 Nov 2000 00:13:52 +0100 (MET) Received: (from ceder@localhost) by proton.lysator.liu.se (8.9.0/8.8.7) id AAA04461; Fri, 17 Nov 2000 00:13:51 +0100 (MET) To: fsh-announce@lists.lysator.liu.se From: ceder@lysator.liu.se (Per Cederqvist) MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Date: 17 Nov 2000 00:13:51 +0100 Message-ID: Lines: 26 X-Mailer: Gnus v5.7/Emacs 20.7 Subject: [fsh-announce] New mailinglists for fsh Sender: fsh-announce-admin@lists.lysator.liu.se Errors-To: fsh-announce-admin@lists.lysator.liu.se X-BeenThere: fsh-announce@lists.lysator.liu.se X-Mailman-Version: 2.0rc1 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Announcements about fsh. List-Unsubscribe: , List-Archive: I have created three new mailinglists for fsh. fsh-announce: Announcements of new versions et c. Subscribe: send a mail to fsh-announce-request@lists.lysator.liu.se, or visit http://lists.lysator.liu.se/mailman/listinfo/fsh-announce fsh-info: An open list for discussions about fsh. To avoid spam, only members can post to the list. Subscribe: send a mail to fsh-info-request@lists.lysator.liu.se, or visit http://lists.lysator.liu.se/mailman/listinfo/fsh-info fsh-bugs: A list for bug reports. You don't have to subscribe to send a bug report. Subscribe: send a mail to fsh-bugs-request@lists.lysator.liu.se, or visit http://lists.lysator.liu.se/mailman/listinfo/fsh-bugs Report a bug: send a mail to fsh-bugs@lists.lysator.liu.se From ceder@lysator.liu.se Tue Nov 28 00:21:39 2000 Received: from proton.lysator.liu.se (proton.lysator.liu.se [130.236.254.69]) by mail.lysator.liu.se (Postfix) with ESMTP id 8D1E0240A47E; Tue, 28 Nov 2000 00:21:38 +0100 (MET) Received: (from ceder@localhost) by proton.lysator.liu.se (8.9.0/8.8.7) id AAA00246; Tue, 28 Nov 2000 00:21:38 +0100 (MET) To: fsh-announce@lists.lysator.liu.se From: ceder@lysator.liu.se (Per Cederqvist) MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Date: 28 Nov 2000 00:21:38 +0100 Message-ID: Lines: 37 X-Mailer: Gnus v5.7/Emacs 20.7 Subject: [fsh-announce] Local users can use other users tunnels Sender: fsh-announce-admin@lists.lysator.liu.se Errors-To: fsh-announce-admin@lists.lysator.liu.se X-BeenThere: fsh-announce@lists.lysator.liu.se X-Mailman-Version: 2.0rc1 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Announcements about fsh. List-Unsubscribe: , List-Archive: Colin Phipps found a problem in fsh about a month ago: On Sat, Oct 21, 2000 at 02:48:10PM +0000, Colin Phipps wrote: > Package: fsh > Version: 1.0.post.1-2.1 > Severity: normal > > fshd has to create a directory in /tmp to hold its sockets; since the > dir is shared by sockets for different instances of fshd's, it has to > accept the possibility that the directory may already exist. The > logic in fshd for doing this is currently: > > make the directory; if it already existed, chmod 0700 it > > Since the chmod will throw an exception if it fails, this (normally) > prevents attacks with malicious local users precreating the socket > directory and trying evil things. But there are two problems with > this logic: > > - the chmod will follow symlinks, so a malicious user can symlink > /tmp/fshd- to another file and when fshd is first run by that UID > it will chmod 0700 the file pointed to. > - the obvious race condition; an attacker could symlink /tmp/fshd- > to a file owned by the user, then remove the symlink and create a > directory there instead between the chmod and creation of the socket. > This would defeat fshd's attempt to make the socket directory safe. Unfortunately, he didn't report the bug to me, but to the Debian bug reporting system. Less than twelve hours ago, I received notice about the potential security problem, and made the 1.0.post.4 release that should fix this problem. I recommend everybody to upgrade to this version. And in the future, please send security-related bug reports directly to fsh-bugs@lists.lysator.liu.se or ceder@lysator.liu.se! /ceder From ceder@lysator.liu.se Sun Dec 10 23:23:47 2000 Received: from proton.lysator.liu.se (proton.lysator.liu.se [130.236.254.69]) by mail.lysator.liu.se (Postfix) with ESMTP id D9B782402C3E; Sun, 10 Dec 2000 23:23:46 +0100 (MET) Received: (from ceder@localhost) by proton.lysator.liu.se (8.9.0/8.8.7) id XAA05141; Sun, 10 Dec 2000 23:23:46 +0100 (MET) Date: Sun, 10 Dec 2000 23:23:46 +0100 (MET) Message-Id: <200012102223.XAA05141@proton.lysator.liu.se> To: fsh-announce@lists.lysator.liu.se From: ceder@lysator.liu.se (Per Cederqvist) Subject: [fsh-announce] fsh-1.1 is released Sender: fsh-announce-admin@lists.lysator.liu.se Errors-To: fsh-announce-admin@lists.lysator.liu.se X-BeenThere: fsh-announce@lists.lysator.liu.se X-Mailman-Version: 2.0rc1 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Announcements about fsh. List-Unsubscribe: , List-Archive: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version 1.1 of fsh has been released. It is available from these locations: http://www.lysator.liu.se/fsh/ ftp://ftp.lysator.liu.se/pub/unix/fsh/ Here is a list of the most important changes made since version 1.0: * fshd exits when it has been unused ten hours. The timeout can be changed at configure time with --enable-timeout=TIME and at runtime with --timeout=TIME. (TIME is measured in seconds). * fcp should now work with OpenSSH 2.x. * The socket creation code in fshd was not paranoid enough. There were are at least two possible attacks: - If a malicious user has symlinked /tmp/fshd- to another file, fshd will chmod 0700 that file. - A race condition made it possible for an attacker to create an unsafe socket directory, so that the attacker can access an fshd tunnel. The attacker must alread have a local shell on the computer where fsh or fshd is invoked. * Detection of process death has been improved. A simple "fsh host echo hello" could sometimes take 5 extra seconds for no good reason. * Prompts such as "host key not found", "enter passphrase" and "enter password" emitted by ssh is no longer silently swollowed by fsh. This means that you can use fsh even if you need to supply a password to ssh when you log in. * The method name supplied in "-r method" may contain any character, including slashes. * Allow "fsh host -l login cmd" as well as "fsh -l login host cmd". This is needed in some configurations of CVS. /ceder -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (SunOS) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iEYEARECAAYFAjo0AhkACgkQTl5zjNKUYI4UaACgi/Y9kD196mPMtV7u0raNmJHT kWIAni6d56Y6Ek900YyZYO/ii/6INXyB =byr+ -----END PGP SIGNATURE----- From ceder@lysator.liu.se Sun Dec 23 12:53:26 2001 Received: from taylor.lysator.liu.se (taylor.lysator.liu.se [130.236.254.24]) by mail.lysator.liu.se (Postfix) with ESMTP id 6BF5782FFDB; Sun, 23 Dec 2001 12:53:26 +0100 (MET) Received: (from ceder@localhost) by taylor.lysator.liu.se (8.9.3/8.8.7) id GAA27546; Sun, 23 Dec 2001 06:53:26 -0500 (EST) X-Authentication-Warning: taylor.lysator.liu.se: ceder set sender to ceder@lysator.liu.se using -f To: fsh-announce@lists.lysator.liu.se From: Per Cederqvist Date: 23 Dec 2001 12:53:25 +0100 Message-ID: Lines: 12 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [fsh-announce] fsh 1.2 released Sender: fsh-announce-admin@lists.lysator.liu.se Errors-To: fsh-announce-admin@lists.lysator.liu.se X-BeenThere: fsh-announce@lists.lysator.liu.se X-Mailman-Version: 2.0rc1 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Announcements about fsh. List-Unsubscribe: , List-Archive: I've just released fsh version 1.2. The only change is that this version works with the newly released Python 2.2. Python 2.2 unfortunately broke fsh, and apparently no fsh user found out about this during the beta test cycle of Python. As always, fsh is available from http://www.lysator.liu.se/fsh/ I have started using Bugzilla to track fsh bugs. I have a backlog of old bugs that I have not yet entered into Bugzilla. They are not forgotten. /ceder