40 lines
1.2 KiB
Diff
40 lines
1.2 KiB
Diff
From 8b13bba78cbebca9f74c89f6d35c716b871f9598 Mon Sep 17 00:00:00 2001
|
|
From: Colin Watson <cjwatson@debian.org>
|
|
Date: Sun, 9 Feb 2014 16:10:13 +0000
|
|
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
|
|
|
|
Bug-Debian: http://bugs.debian.org/711623
|
|
Forwarded: no
|
|
Last-Update: 2020-02-21
|
|
|
|
Patch-Name: ssh-agent-setgid.patch
|
|
---
|
|
ssh-agent.1 | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/ssh-agent.1 b/ssh-agent.1
|
|
index 533ad6d3a..43f9cf7aa 100644
|
|
--- a/ssh-agent.1
|
|
+++ b/ssh-agent.1
|
|
@@ -284,6 +284,21 @@ socket and stores its pathname in this variable.
|
|
It is accessible only to the current user,
|
|
but is easily abused by root or another instance of the same user.
|
|
.El
|
|
+.Pp
|
|
+In Debian,
|
|
+.Nm
|
|
+is installed with the set-group-id bit set, to prevent
|
|
+.Xr ptrace 2
|
|
+attacks retrieving private key material.
|
|
+This has the side-effect of causing the run-time linker to remove certain
|
|
+environment variables which might have security implications for set-id
|
|
+programs, including
|
|
+.Ev LD_PRELOAD ,
|
|
+.Ev LD_LIBRARY_PATH ,
|
|
+and
|
|
+.Ev TMPDIR .
|
|
+If you need to set any of these environment variables, you will need to do
|
|
+so in the program executed by ssh-agent.
|
|
.Sh FILES
|
|
.Bl -tag -width Ds
|
|
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|