Permissions on the ssh-agent socket

Alexander Wuerstlein snalwuer at
Wed Mar 28 00:09:34 EST 2007

On 070325 18:44, Daniel Kahn Gillmor < at> wrote:
> Hash: SHA1
> On Fri 2007-03-23 11:29:34 -0400, Alexander Wuerstlein wrote:
> > If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*),
> > with the socket's and the directory's permissions set to
> > 600. However, if I now connect to a remote host with
> > agent-forwarding enabled, the resulting socket on the remote host
> > gets permissions 755 (the directory still gets 700).
> >
> > What bothers me is the go+rx part, is there any specific reason to that?
> > If not, wouldn't it be better to be paranoid and use 600? 
> I seem to recall that many Unices ignore permissions on sockets (i
> think linux does *not* ignore them), and usually rely on the parent
> directory for access control.
> I haven't been able to dig up a good authoritative reference for this,
> but here's a URL which implies the above.
> I think that setting the permissions restrictively would be wise (and
> consistent with the initial socket creation), but given the directory
> setup, it's not immediately critical.

I agree on the non-criticality, thanks for your opinion.

Consider it a feature-request :)


Alexander Wuerstlein.

More information about the openssh-unix-dev mailing list