ssh-agent and socket permission check

Darren Tucker dtucker at zip.com.au
Fri Jul 25 16:28:35 EST 2014


On 24 Jul 2014 19:32, "Damien Miller" <djm at mindrot.org> wrote:
>
> On Fri, 25 Jul 2014, Igor Bukanov wrote:
>
> > On 25 July 2014 00:09, Damien Miller <djm at mindrot.org> wrote:
> >
> > > It shouldn't be anyway. We ship it setgid by default and also use
> > > prctl()
> > > on Linux to prevent ptrace()
> >
> > So with that setup on Linux it is not possible for an ordinary account
to
> > read memory of ssh-agent barring a kernel bug? In any case, as in my
case
> > everything runs in a container with no setuid/setguid binaries
available,
> > that would not help.
>
> If you are on Linux then prctl will still prevent ptrace, even without
> setgid.

Yeah but from memory ssh-agent will also call getpeereid() on the
connecting socket, which will prevent other uids in the same group from
making use of the key without exposing it to copying.


More information about the openssh-unix-dev mailing list