This article applies to BoKS 7.1.0.
A vulnerability has been found in boks_sshd. When keystroke logging (kslog) is enabled, the uid is not changed to the login user for the running process.
This is not an issue for SSH_SH (interactive logins) since the kslog process must be started as root and then the kslog program changes the uid of the login process. However, for remotely executed commands, kslog is never run and thus the uid must be changed to the uid of the logged-in user.
Resolution / Workaround
To resolve these issues, apply hotfix HFBM-0222, available for download from the HelpSystems Community Portal.
This hotfix includes an updated version of the boks_sshd binary, which verifies that only interactive ssh logins with kslog enabled are run as root (which the kslog program later changes to the uid of the logged in user).
Still have questions? We can help. Submit a case to Technical Support.