[openssh-commits] [openssh] 03/04: upstream: With it's own daemonization / fd cleaning code, ssh-agent

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Mar 10 14:46:11 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 46eb7dc5a6f312f99437ebdcf04f0f2c03aa570b
Author: deraadt at openbsd.org <deraadt at openbsd.org>
AuthorDate: Sat Mar 7 18:35:43 2026 +0000

    upstream: With it's own daemonization / fd cleaning code, ssh-agent
    
    opens /dev/null O_RDWR after a pledge without "wpath".  This is allowed in
    current pledge because "/dev/null" is implicitly allowed to be opened even
    with the most restrictive pledges or unveils.  This is a design decision in
    pledge made at the very beginning, to satisfy libc requirements.  We've
    finally had enough experience and know how to fix that in the near-future,
    but need to review and fix all code which opens these implicit paths. The fix
    is to add "wpath", so that "/dev/null" can be opened O_RDWR. But that is
    uncomfortable, so we add unveil() allowing "/" with "r", 4 unveil "x" for the
    potential askpass and helpers to be execve'd, and "/dev/null" with "wr".  As
    a result filesystem access is substantially more restricted than before, and
    ssh-agent is ready for the future pledge change. ok djm dtucker
    
    OpenBSD-Commit-ID: f223b11d2db3c0b14e53c1de59966dd5f372a977
---
 ssh-agent.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/ssh-agent.c b/ssh-agent.c
index 57167a699..03ca6f982 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.320 2026/03/05 05:35:44 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.321 2026/03/07 18:35:43 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2572,7 +2572,25 @@ skip:
 	sigaddset(&nsigset, SIGTERM);
 	sigaddset(&nsigset, SIGUSR1);
 
-	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+	if (unveil("/", "r") == -1)
+		fatal("%s: unveil /: %s", __progname, strerror(errno));
+	if (getenv("SSH_SK_HELPER"))
+		if (unveil(getenv("SSH_SK_HELPER"), "x") == -1)
+			fatal("%s: unveil %s: %s", __progname,
+			    getenv("SSH_SK_HELPER"), strerror(errno));
+	if (unveil(_PATH_SSH_SK_HELPER, "x") == -1)
+		fatal("%s: unveil %s: %s", __progname,
+		    _PATH_SSH_SK_HELPER, strerror(errno));
+	if (getenv("SSH_ASKPASS"))
+		if (unveil(getenv("SSH_ASKPASS"), "x") == -1)
+			fatal("%s: unveil %s: %s", __progname,
+			    getenv("SSH_ASKPASS"), strerror(errno));
+	if (unveil(_PATH_SSH_ASKPASS_DEFAULT, "x") == -1)
+		fatal("%s: unveil %s: %s", __progname,
+		    _PATH_SSH_ASKPASS_DEFAULT, strerror(errno));
+	if (unveil("/dev/null", "rw") == -1)
+		fatal("%s: unveil /dev/null: %s", __progname, strerror(errno));
+	if (pledge("stdio rpath cpath wpath unix id proc exec", NULL) == -1)
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 	platform_pledge_agent();
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list