Document consequences of ssh-agent being setgid in ssh-agent(1); see

#711623.
author: Colin Watson <cjwatson@debian.org> 2013-06-08 22:18:07 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-06-08 22:18:07 +0100
commit: 074489e1e6e97c75d87750035dbaf8c693e9736e (patch)
tree: 838e11a456ea7152c71417acd2c71060dc6c7707
parent: 04603e44daf10700cc3d987e4119efd9a30bb259 (diff)
4 files changed, 55 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 2bf27dad9..7ab444385 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:6.2p2-5) UNRELEASED; urgency=low
+  * Document consequences of ssh-agent being setgid in ssh-agent(1); see
+    #711623.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 08 Jun 2013 22:12:27 +0100
 openssh (1:6.2p2-4) unstable; urgency=low
  * Fix non-portable shell in ssh-copy-id (closes: #711162).
diff --git a/debian/patches/series b/debian/patches/series
index 6d6020805..c99a496b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,6 +41,7 @@ openbsd-docs.patch
 ssh-argv0.patch
 doc-hash-tab-completion.patch
 doc-upstart.patch
+ssh-agent-setgid.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
new file mode 100644
index 000000000..7e909a165
--- /dev/null
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -0,0 +1,32 @@
+Description: Document consequences of ssh-agent being setgid in ssh-agent(1)
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/711623
+Forwarded: no
+Last-Update: 2013-06-08
+Index: b/ssh-agent.1
+===================================================================
+--- a/ssh-agent.1
+++ b/ssh-agent.1
+@@ -182,6 +182,21 @@
+ .Pp
+ The agent exits automatically when the command given on the command
+ line terminates.
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
+ .Sh FILES
+ .Bl -tag -width Ds
+ .It Pa ~/.ssh/identity
diff --git a/ssh-agent.1 b/ssh-agent.1
index bb801c902..d370531bb 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -182,6 +182,21 @@ environment variable holds the agent's process ID.
 .Pp
 The agent exits automatically when the command given on the command
 line terminates.
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/identity
author	Colin Watson <cjwatson@debian.org>	2013-06-08 22:18:07 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-06-08 22:18:07 +0100
commit	074489e1e6e97c75d87750035dbaf8c693e9736e (patch)
tree	838e11a456ea7152c71417acd2c71060dc6c7707
parent	04603e44daf10700cc3d987e4119efd9a30bb259 (diff)

diff --git a/debian/changelog b/debian/changelog index 2bf27dad9..7ab444385 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,10 @@
		1	openssh (1:6.2p2-5) UNRELEASED; urgency=low
		2
		3	* Document consequences of ssh-agent being setgid in ssh-agent(1); see
		4	#711623.
		5
		6	-- Colin Watson <cjwatson@debian.org> Sat, 08 Jun 2013 22:12:27 +0100
		7
1	openssh (1:6.2p2-4) unstable; urgency=low	8	openssh (1:6.2p2-4) unstable; urgency=low
2		9
3	* Fix non-portable shell in ssh-copy-id (closes: #711162).	10	* Fix non-portable shell in ssh-copy-id (closes: #711162).


diff --git a/debian/patches/series b/debian/patches/series index 6d6020805..c99a496b5 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -41,6 +41,7 @@ openbsd-docs.patch
41	ssh-argv0.patch	41	ssh-argv0.patch
42	doc-hash-tab-completion.patch	42	doc-hash-tab-completion.patch
43	doc-upstart.patch	43	doc-upstart.patch
		44	ssh-agent-setgid.patch
44		45
45	# Debian-specific configuration	46	# Debian-specific configuration
46	gnome-ssh-askpass2-icon.patch	47	gnome-ssh-askpass2-icon.patch


diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch new file mode 100644 index 000000000..7e909a165 --- /dev/null +++ b/debian/patches/ssh-agent-setgid.patch
@@ -0,0 +1,32 @@
		1	Description: Document consequences of ssh-agent being setgid in ssh-agent(1)
		2	Author: Colin Watson <cjwatson@debian.org>
		3	Bug-Debian: http://bugs.debian.org/711623
		4	Forwarded: no
		5	Last-Update: 2013-06-08
		6
		7	Index: b/ssh-agent.1
		8	===================================================================
		9	--- a/ssh-agent.1
		10	+++ b/ssh-agent.1
		11	@@ -182,6 +182,21 @@
		12	.Pp
		13	The agent exits automatically when the command given on the command
		14	line terminates.
		15	+.Pp
		16	+In Debian,
		17	+.Nm
		18	+is installed with the set-group-id bit set, to prevent
		19	+.Xr ptrace 2
		20	+attacks retrieving private key material.
		21	+This has the side-effect of causing the run-time linker to remove certain
		22	+environment variables which might have security implications for set-id
		23	+programs, including
		24	+.Ev LD_PRELOAD ,
		25	+.Ev LD_LIBRARY_PATH ,
		26	+and
		27	+.Ev TMPDIR .
		28	+If you need to set any of these environment variables, you will need to do
		29	+so in the program executed by ssh-agent.
		30	.Sh FILES
		31	.Bl -tag -width Ds
		32	.It Pa ~/.ssh/identity


diff --git a/ssh-agent.1 b/ssh-agent.1 index bb801c902..d370531bb 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1
@@ -182,6 +182,21 @@ environment variable holds the agent's process ID.
182	.Pp	182	.Pp
183	The agent exits automatically when the command given on the command	183	The agent exits automatically when the command given on the command
184	line terminates.	184	line terminates.
		185	.Pp
		186	In Debian,
		187	.Nm
		188	is installed with the set-group-id bit set, to prevent
		189	.Xr ptrace 2
		190	attacks retrieving private key material.
		191	This has the side-effect of causing the run-time linker to remove certain
		192	environment variables which might have security implications for set-id
		193	programs, including
		194	.Ev LD_PRELOAD ,
		195	.Ev LD_LIBRARY_PATH ,
		196	and
		197	.Ev TMPDIR .
		198	If you need to set any of these environment variables, you will need to do
		199	so in the program executed by ssh-agent.
185	.Sh FILES	200	.Sh FILES
186	.Bl -tag -width Ds	201	.Bl -tag -width Ds
187	.It Pa ~/.ssh/identity	202	.It Pa ~/.ssh/identity