[patch] remove deadcode
Erik Hovland
erik at hovland.org
Sat Jul 8 02:30:11 WST 2006
On Fri, Jul 07, 2006 at 06:02:53PM +0800, Matt Johnston wrote:
> With the svr-chansession.c exit patch I think the current
> code is correct, as the exit value will only be unset when
> i == svr_ses.childpidsize. I've modified the code to be a
> bit clearer anyway.
>
> For the ssh-pty.c patch, I don't think this improves the
> security/correctness much. tty_name is always a /dev/ttyXXX
> device, and if an attacker can manipulate paths in /dev/, then
> there are larger problems. Does that analysis sound
> reasonable?
Both sound fine to me. As far as an attacker manipulating something. All
they really have to manipulate is the string of the tty_name between the
stat and the chown. Granted, this isn't easy either. But is the real
reason for the patch. As I said, it isn't serious - just trying to be
complete.
> (PS, if you're using the monotone head, beware that there's
> a known issue that can cause it to wait for input when
> closing on Linux.)
I am only using it for testing and auditing.
Thanks for the quick attention.
E
--
Erik Hovland
mail: erik AT hovland DOT org
web: http://hovland.org/
PGP/GPG public key available on request
More information about the Dropbear
mailing list