tptacek
3 days ago
This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.
(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)
RossBencina
3 days ago
I'm somewhat alarmed that the context that this bug was running in was capable of root login. Is there a reason that an SSH login process would, by default, have enough capabilities to facilitate direct root login?
yjftsjthsd-h
3 days ago
If it runs as your user and can only log in as you, then I wouldn't expect it to be able to become root. But if it can log you in as different users, I would expect that 1. it needs to run from root, and 2. it can log in as root.
anilakar
2 days ago
We did Tailscale-like SSH reverse tunnels at scale first in 2013 and the main issue has always been that there are no good libraries. Bash scripting around the OpenSSH binaries is pretty much the only way to go.
There's Paramiko, but Python is still a huge liability in memory-constrained systems.
formerly_proven
2 days ago
libssh, libssh2. These are totally independent and unrelated code bases, libssh is maintained by Red Hat mainly for ansible and some other tools, libssh2 was created for curl. libssh2 is client-only, libssh can also be used to implement servers.
amluto
2 days ago
Making a useful multi-uid-capable daemon that can’t become root but is not so nerfed that no one uses it is nontrivial. If nothing else, what policy would you use? Why do you think that no other uid is equivalent to root?
unprovable
2 days ago
It's so old skool, it's almost new again... almost... Still waiting for that third (or fourth?!) wave of XXE (or similar) bugs.
iririririr
3 days ago
you can also add parameters to env vars in some popular cloud providers for the same effect.