Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

[Ben Lindstrom]

On Sun, 30 May 2004, Luke Kenneth Casson Leighton wrote:

> > >   the ssh-agent fd close-on-exec is actually a really important
> > >   security bug because otherwise you end up with an open file
> > >   descriptor being passed over to a process that should have no
> > >   rights or use for it.
> >
> > The FD in question is to /dev/null and closed anyway if it isn't
> > dup'd to one of std{in.out,err} so I can't see how this achieves
> > anything.
>
>  well, i'd be remiss in not mentioning it to you: fortunately
>  in this case it looks like it's covered.
>
>  it'd be really helpful, however, if you _could_ apply that
>  close-on-exec, because without it, it's necessary to add an
>  audit "ignore" just for that file handle, which could come
>  back and bite you later, or to constantly and forever apply
>  that patch in all releases of an openssh'd selinux package.
>

Why not just fix the auditing software to understand the fact that the FD
is /dev/null?  That would be the best solution for everyone.  Since it
would stops incorrect whining, and it doesn't require a useless hack where
one is not needed.

There is nothing worse than a whiny auditing tool that gives you crap
output with a few pearls of useful information. =)

- Ben