summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:13 +0000
committerColin Watson <cjwatson@debian.org>2019-06-05 13:11:53 +0100
commit9e040aefaefa40bcbe5dcdc0f9f03555cf8fe2d0 (patch)
tree80ddfa3d77b602eacf84c86d4190034d48e1ee42
parent099b0bdc57b9a21842c457d83ff9488fa814c9c4 (diff)
Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
-rw-r--r--ssh-agent.115
1 files changed, 15 insertions, 0 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1
index 83b2b41c8..7230704a3 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -206,6 +206,21 @@ environment variable holds the agent's process ID.
206.Pp 206.Pp
207The agent exits automatically when the command given on the command 207The agent exits automatically when the command given on the command
208line terminates. 208line terminates.
209.Pp
210In Debian,
211.Nm
212is installed with the set-group-id bit set, to prevent
213.Xr ptrace 2
214attacks retrieving private key material.
215This has the side-effect of causing the run-time linker to remove certain
216environment variables which might have security implications for set-id
217programs, including
218.Ev LD_PRELOAD ,
219.Ev LD_LIBRARY_PATH ,
220and
221.Ev TMPDIR .
222If you need to set any of these environment variables, you will need to do
223so in the program executed by ssh-agent.
209.Sh FILES 224.Sh FILES
210.Bl -tag -width Ds 225.Bl -tag -width Ds
211.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> 226.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>