Permissions on the ssh-agent socket

Daniel Kahn Gillmor at
Mon Mar 26 02:43:10 EST 2007

Hash: SHA1

On Fri 2007-03-23 11:29:34 -0400, Alexander Wuerstlein wrote:

> If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*),
> with the socket's and the directory's permissions set to
> 600. However, if I now connect to a remote host with
> agent-forwarding enabled, the resulting socket on the remote host
> gets permissions 755 (the directory still gets 700).
> What bothers me is the go+rx part, is there any specific reason to that?
> If not, wouldn't it be better to be paranoid and use 600? 

I seem to recall that many Unices ignore permissions on sockets (i
think linux does *not* ignore them), and usually rely on the parent
directory for access control.

I haven't been able to dig up a good authoritative reference for this,
but here's a URL which implies the above.

I think that setting the permissions restrictively would be wise (and
consistent with the initial socket creation), but given the directory
setup, it's not immediately critical.

just my $0.02,

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <>


More information about the openssh-unix-dev mailing list