diff options
author | Colin Watson <cjwatson@debian.org> | 2013-06-08 22:18:07 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-06-08 22:18:07 +0100 |
commit | 074489e1e6e97c75d87750035dbaf8c693e9736e (patch) | |
tree | 838e11a456ea7152c71417acd2c71060dc6c7707 | |
parent | 04603e44daf10700cc3d987e4119efd9a30bb259 (diff) |
Document consequences of ssh-agent being setgid in ssh-agent(1); see
#711623.
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/ssh-agent-setgid.patch | 32 | ||||
-rw-r--r-- | ssh-agent.1 | 15 |
4 files changed, 55 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 2bf27dad9..7ab444385 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,10 @@ | |||
1 | openssh (1:6.2p2-5) UNRELEASED; urgency=low | ||
2 | |||
3 | * Document consequences of ssh-agent being setgid in ssh-agent(1); see | ||
4 | #711623. | ||
5 | |||
6 | -- Colin Watson <cjwatson@debian.org> Sat, 08 Jun 2013 22:12:27 +0100 | ||
7 | |||
1 | openssh (1:6.2p2-4) unstable; urgency=low | 8 | openssh (1:6.2p2-4) unstable; urgency=low |
2 | 9 | ||
3 | * Fix non-portable shell in ssh-copy-id (closes: #711162). | 10 | * Fix non-portable shell in ssh-copy-id (closes: #711162). |
diff --git a/debian/patches/series b/debian/patches/series index 6d6020805..c99a496b5 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -41,6 +41,7 @@ openbsd-docs.patch | |||
41 | ssh-argv0.patch | 41 | ssh-argv0.patch |
42 | doc-hash-tab-completion.patch | 42 | doc-hash-tab-completion.patch |
43 | doc-upstart.patch | 43 | doc-upstart.patch |
44 | ssh-agent-setgid.patch | ||
44 | 45 | ||
45 | # Debian-specific configuration | 46 | # Debian-specific configuration |
46 | gnome-ssh-askpass2-icon.patch | 47 | gnome-ssh-askpass2-icon.patch |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch new file mode 100644 index 000000000..7e909a165 --- /dev/null +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Description: Document consequences of ssh-agent being setgid in ssh-agent(1) | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Bug-Debian: http://bugs.debian.org/711623 | ||
4 | Forwarded: no | ||
5 | Last-Update: 2013-06-08 | ||
6 | |||
7 | Index: b/ssh-agent.1 | ||
8 | =================================================================== | ||
9 | --- a/ssh-agent.1 | ||
10 | +++ b/ssh-agent.1 | ||
11 | @@ -182,6 +182,21 @@ | ||
12 | .Pp | ||
13 | The agent exits automatically when the command given on the command | ||
14 | line terminates. | ||
15 | +.Pp | ||
16 | +In Debian, | ||
17 | +.Nm | ||
18 | +is installed with the set-group-id bit set, to prevent | ||
19 | +.Xr ptrace 2 | ||
20 | +attacks retrieving private key material. | ||
21 | +This has the side-effect of causing the run-time linker to remove certain | ||
22 | +environment variables which might have security implications for set-id | ||
23 | +programs, including | ||
24 | +.Ev LD_PRELOAD , | ||
25 | +.Ev LD_LIBRARY_PATH , | ||
26 | +and | ||
27 | +.Ev TMPDIR . | ||
28 | +If you need to set any of these environment variables, you will need to do | ||
29 | +so in the program executed by ssh-agent. | ||
30 | .Sh FILES | ||
31 | .Bl -tag -width Ds | ||
32 | .It Pa ~/.ssh/identity | ||
diff --git a/ssh-agent.1 b/ssh-agent.1 index bb801c902..d370531bb 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 | |||
@@ -182,6 +182,21 @@ environment variable holds the agent's process ID. | |||
182 | .Pp | 182 | .Pp |
183 | The agent exits automatically when the command given on the command | 183 | The agent exits automatically when the command given on the command |
184 | line terminates. | 184 | line terminates. |
185 | .Pp | ||
186 | In Debian, | ||
187 | .Nm | ||
188 | is installed with the set-group-id bit set, to prevent | ||
189 | .Xr ptrace 2 | ||
190 | attacks retrieving private key material. | ||
191 | This has the side-effect of causing the run-time linker to remove certain | ||
192 | environment variables which might have security implications for set-id | ||
193 | programs, including | ||
194 | .Ev LD_PRELOAD , | ||
195 | .Ev LD_LIBRARY_PATH , | ||
196 | and | ||
197 | .Ev TMPDIR . | ||
198 | If you need to set any of these environment variables, you will need to do | ||
199 | so in the program executed by ssh-agent. | ||
185 | .Sh FILES | 200 | .Sh FILES |
186 | .Bl -tag -width Ds | 201 | .Bl -tag -width Ds |
187 | .It Pa ~/.ssh/identity | 202 | .It Pa ~/.ssh/identity |