summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:13 +0000
committerColin Watson <cjwatson@debian.org>2020-06-07 10:25:35 +0100
commit303cbd5533df863d518bc61d837ce56a93166b11 (patch)
tree254cccf4e20d41c4f8cd06cfc1da34925a5803e8
parent0402bdf307736b3afae8c80c84f04b0295990c45 (diff)
Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2020-02-21 Patch-Name: ssh-agent-setgid.patch
-rw-r--r--ssh-agent.115
1 files changed, 15 insertions, 0 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1
index fff0db6bc..99e4f6d2e 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
201It is accessible only to the current user, 201It is accessible only to the current user,
202but is easily abused by root or another instance of the same user. 202but is easily abused by root or another instance of the same user.
203.El 203.El
204.Pp
205In Debian,
206.Nm
207is installed with the set-group-id bit set, to prevent
208.Xr ptrace 2
209attacks retrieving private key material.
210This has the side-effect of causing the run-time linker to remove certain
211environment variables which might have security implications for set-id
212programs, including
213.Ev LD_PRELOAD ,
214.Ev LD_LIBRARY_PATH ,
215and
216.Ev TMPDIR .
217If you need to set any of these environment variables, you will need to do
218so in the program executed by ssh-agent.
204.Sh FILES 219.Sh FILES
205.Bl -tag -width Ds 220.Bl -tag -width Ds
206.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> 221.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>