Permissions on the ssh-agent socket

Daniel Kahn Gillmor dkg-openssh.com at fifthhorseman.net
Mon Mar 26 02:43:10 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri 2007-03-23 11:29:34 -0400, Alexander Wuerstlein wrote:

> If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*),
> with the socket's and the directory's permissions set to
> 600. However, if I now connect to a remote host with
> agent-forwarding enabled, the resulting socket on the remote host
> gets permissions 755 (the directory still gets 700).
>
> What bothers me is the go+rx part, is there any specific reason to that?
> If not, wouldn't it be better to be paranoid and use 600? 

I seem to recall that many Unices ignore permissions on sockets (i
think linux does *not* ignore them), and usually rely on the parent
directory for access control.

I haven't been able to dig up a good authoritative reference for this,
but here's a URL which implies the above.

http://www.openldap.org/lists/openldap-software/200306/msg00106.html

I think that setting the permissions restrictively would be wise (and
consistent with the initial socket creation), but given the directory
setup, it's not immediately critical.

just my $0.02,

     --dkg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iD8DBQFGBqaIiXTlFKVLY2URAi96AJ9yytiefpPhMbj+O7EWEqP3w20gIACePGC5
zKuTT1rMgGegru4j6Z2yE08=
=LF+/
-----END PGP SIGNATURE-----


More information about the openssh-unix-dev mailing list