John Doe wrote: > From: Bennett Haselton <bennett at peacefire.org> > >> On 1/10/2012 5:16 AM, John Doe wrote: >>> The sshd child is running as bob; so it has bob (and not root) >>> rights... >> >> Yes, I understand that. What I said was that if you could take complete >> control of the sshd process you were connecting to, even if that process >> was completely unprivileged, you could still make it say "Accept a login >> from 'root' with password 'foo'" and then log in as root. > > How would your bob owned child sshd take complete control of the > parent root owned sshd...? I have not read the details of any given exploit, but as I understand it, if one can craft an exploit that breaks in the middle of the login, the child would die, leaving one in the parent (root) process. mark