diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:13 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2020-10-18 12:07:21 +0100 |
| commit | 7a305ed4a0cba43d0d1bc6ebf5737521a0854a9d (patch) | |
| tree | 204d0c1c8f64d11e48bde3abdf25b4921024a52f /ssh-agent.1 | |
| parent | 5fca8a730171f96a72007118c0d35cf4a09359f8 (diff) | |
Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21
Patch-Name: ssh-agent-setgid.patch
Diffstat (limited to 'ssh-agent.1')
| -rw-r--r-- | ssh-agent.1 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1 index 2cf46160b..272da79b3 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 | |||
| @@ -206,6 +206,21 @@ socket and stores its pathname in this variable. | |||
| 206 | It is accessible only to the current user, | 206 | It is accessible only to the current user, |
| 207 | but is easily abused by root or another instance of the same user. | 207 | but is easily abused by root or another instance of the same user. |
| 208 | .El | 208 | .El |
| 209 | .Pp | ||
| 210 | In Debian, | ||
| 211 | .Nm | ||
| 212 | is installed with the set-group-id bit set, to prevent | ||
| 213 | .Xr ptrace 2 | ||
| 214 | attacks retrieving private key material. | ||
| 215 | This has the side-effect of causing the run-time linker to remove certain | ||
| 216 | environment variables which might have security implications for set-id | ||
| 217 | programs, including | ||
| 218 | .Ev LD_PRELOAD , | ||
| 219 | .Ev LD_LIBRARY_PATH , | ||
| 220 | and | ||
| 221 | .Ev TMPDIR . | ||
| 222 | If you need to set any of these environment variables, you will need to do | ||
| 223 | so in the program executed by ssh-agent. | ||
| 209 | .Sh FILES | 224 | .Sh FILES |
| 210 | .Bl -tag -width Ds | 225 | .Bl -tag -width Ds |
| 211 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> | 226 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> |