From owner-ssh@clinet.fi Fri Apr 3 21:14:20 1998 Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7]) by hutcs.cs.hut.fi (8.8.8/8.8.8) with ESMTP id VAA03096; Fri, 3 Apr 1998 21:14:20 +0300 (EET DST) Received: (from majordom@localhost) by lohi.clinet.fi (8.8.8/8.8.6) id UAA21228 for ssh-outgoing; Fri, 3 Apr 1998 20:47:31 +0300 (EEST) X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ssh@clinet.fi using -f Received: from yavin.qualcomm.com (yavin.qualcomm.com [129.46.4.111]) by lohi.clinet.fi (8.8.8/8.8.6) with ESMTP id UAA21206 for ; Fri, 3 Apr 1998 20:47:09 +0300 (EEST) Received: from yavin.qualcomm.com (localhost [127.0.0.1]) by yavin.qualcomm.com (8.8.5/1.4/8.7.2/1.14) with SMTP id JAA12803; Fri, 3 Apr 1998 09:46:50 -0800 (PST) Message-Id: <199804031746.JAA12803@yavin.qualcomm.com> To: ssh@clinet.fi, ssh-bugs@cs.hut.fi cc: sa-dev@qualcomm.com Subject: Bug in ssh 1.2.22: authfd.c Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="===_0_Fri_Apr__3_09:43:54_PST_1998" Date: Fri, 03 Apr 1998 09:46:50 -0800 From: "Garrett D'Amore" Sender: owner-ssh@clinet.fi Precedence: bulk This is a multipart MIME message. --===_0_Fri_Apr__3_09:43:54_PST_1998 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I believe I've discovered a bug in ssh 1.2.22. Essentially, the problem is that authsockdir is freed too soon and as a result the calls to unlink= () fail, because the argument (authsock) is only a substring of authsockdir.= The user-visible symtom is messages: Cannot make temporary authentication socket directory ... when using ssh-agent and a suid "ssh" program. The output from Solaris truss shows: unlink(=E8") Err#2 ENOENT chdir("/") =3D 0 rmdir("/tmp/ssh-garrett-12157") Err#93 ENOTEMPTY followed a little while later by a = mkdir("/tmp/ssh-garrett-12157", 0700) Err#17 EEXIST after which the message crops up. Note the (apparently) random argument to unlink(). I've come up with a patch (diff -c) -- it is attached below. Let me know what you think. Thanks! -- Garrett D'Amore --===_0_Fri_Apr__3_09:43:54_PST_1998 Content-Type: text/plain; charset=iso-8859-1 Content-Description: patch Content-Transfer-Encoding: quoted-printable Index: authfd.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /prj/gv-dev/CVS/ssh/ssh/authfd.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 authfd.c *** authfd.c 1998/02/05 19:04:52 1.1.1.1 --- authfd.c 1998/04/03 17:43:09 *************** *** 334,341 **** = sunaddr.sun_family =3D AF_UNIX; strncpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path)); - = - xfree(authsocketdir); = sock =3D socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) --- 334,339 ---- *************** *** 348,353 **** --- 346,352 ---- rmdir(newauthsockdir); xfree(newauthsockdir); } + xfree(authsocketdir); return -1; } = *************** *** 362,367 **** --- 361,367 ---- rmdir(newauthsockdir); xfree(newauthsockdir); } + xfree(authsocketdir); return -1; } if (newauthsockdir !=3D NULL) *************** *** 371,376 **** --- 371,377 ---- rmdir(newauthsockdir); xfree(newauthsockdir); } + xfree(authsocketdir); fcntl(sock, F_SETFL, 0); /* Set the socket to blocking mode */ return sock; } --===_0_Fri_Apr__3_09:43:54_PST_1998--