diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:13 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:21 +0100 |
| commit | 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 (patch) | |
| tree | 71417bfbcd9153b11d812c1bc424c284f8543e72 | |
| parent | 252e76b3ad6e83a798e479a2beba5be7000ff85e (diff) | |
Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
| -rw-r--r-- | ssh-agent.1 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1 index a1e634fe0..f2c408070 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 | |||
| @@ -172,6 +172,21 @@ environment variable holds the agent's process ID. | |||
| 172 | .Pp | 172 | .Pp |
| 173 | The agent exits automatically when the command given on the command | 173 | The agent exits automatically when the command given on the command |
| 174 | line terminates. | 174 | line terminates. |
| 175 | .Pp | ||
| 176 | In Debian, | ||
| 177 | .Nm | ||
| 178 | is installed with the set-group-id bit set, to prevent | ||
| 179 | .Xr ptrace 2 | ||
| 180 | attacks retrieving private key material. | ||
| 181 | This has the side-effect of causing the run-time linker to remove certain | ||
| 182 | environment variables which might have security implications for set-id | ||
| 183 | programs, including | ||
| 184 | .Ev LD_PRELOAD , | ||
| 185 | .Ev LD_LIBRARY_PATH , | ||
| 186 | and | ||
| 187 | .Ev TMPDIR . | ||
| 188 | If you need to set any of these environment variables, you will need to do | ||
| 189 | so in the program executed by ssh-agent. | ||
| 175 | .Sh FILES | 190 | .Sh FILES |
| 176 | .Bl -tag -width Ds | 191 | .Bl -tag -width Ds |
| 177 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt | 192 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt |