From 074489e1e6e97c75d87750035dbaf8c693e9736e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 8 Jun 2013 22:18:07 +0100 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1); see #711623. --- debian/changelog | 7 +++++++ debian/patches/series | 1 + debian/patches/ssh-agent-setgid.patch | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 debian/patches/ssh-agent-setgid.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 2bf27dad9..7ab444385 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openssh (1:6.2p2-5) UNRELEASED; urgency=low + + * Document consequences of ssh-agent being setgid in ssh-agent(1); see + #711623. + + -- Colin Watson Sat, 08 Jun 2013 22:12:27 +0100 + openssh (1:6.2p2-4) unstable; urgency=low * Fix non-portable shell in ssh-copy-id (closes: #711162). diff --git a/debian/patches/series b/debian/patches/series index 6d6020805..c99a496b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -41,6 +41,7 @@ openbsd-docs.patch ssh-argv0.patch doc-hash-tab-completion.patch doc-upstart.patch +ssh-agent-setgid.patch # Debian-specific configuration gnome-ssh-askpass2-icon.patch diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch new file mode 100644 index 000000000..7e909a165 --- /dev/null +++ b/debian/patches/ssh-agent-setgid.patch @@ -0,0 +1,32 @@ +Description: Document consequences of ssh-agent being setgid in ssh-agent(1) +Author: Colin Watson +Bug-Debian: http://bugs.debian.org/711623 +Forwarded: no +Last-Update: 2013-06-08 + +Index: b/ssh-agent.1 +=================================================================== +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -182,6 +182,21 @@ + .Pp + The agent exits automatically when the command given on the command + line terminates. ++.Pp ++In Debian, ++.Nm ++is installed with the set-group-id bit set, to prevent ++.Xr ptrace 2 ++attacks retrieving private key material. ++This has the side-effect of causing the run-time linker to remove certain ++environment variables which might have security implications for set-id ++programs, including ++.Ev LD_PRELOAD , ++.Ev LD_LIBRARY_PATH , ++and ++.Ev TMPDIR . ++If you need to set any of these environment variables, you will need to do ++so in the program executed by ssh-agent. + .Sh FILES + .Bl -tag -width Ds + .It Pa ~/.ssh/identity -- cgit v1.2.3