[users] Security notice for RSSH...

Will McDonald wmcdonald at gmail.com
Tue Mar 7 17:00:31 CET 2006

Hey all.

I've just been messing around with RSSH for one of our systems and I
noticed this Security Notice...


Jan 6, 2006
rssh v2.3.2 released today!

Important Security Notice:

Max Vozeler has reported a problem whereby rssh can allow users who
have shell access to systems where rssh is installed (and
rssh_chroot_helper is installed SUID) to gain root access to the
system, due to the ability to chroot to arbitrary locations. There are
a lot of potentially mitigating factors, but to be safe you should
upgrade immediately. This bug affects all versions of rssh from v2.0.0
to v2.2.3, so please upgrade now!

The 2.3.0 release of rssh fixes this problem, by forcing the chroot
helper to re-parse the config file to decide where to chroot(2) to.
Users with shell access to the system can not subvert the chroot
location, and may not be able to chroot at all depending on the
configuration of rssh, which solves the problem. Unfortunately, that
release contained a number of other bugs. Missing brackets in one
function prevented the use of rsync and rdist, and there was a
segfault caused in strlen() because I forgot to remove some unused
variables. The 2.3.2 release fixes all those problems.

New in this version:

root compromise bug fix
fix for va_start/va_end bug that crashes on ia64
fix for strlen() segfault
fix for service checking bug that always allows cvs and always denies
rdist and rsync...
other small code clean-up fixes
many documentation updates and improvements.

Note also that the RPM packages are now signed with my GPG key! You
may want/need to download and import my key into rpm, using the
following command:

rpm --import keyfile


I notice the RPMForge packages are still 2.2.3-, 2.3.2- is current, is
it still being packaged?

Cheers, and thanks for all the hard work. It's really much appreciated.


More information about the users mailing list