Re: ssh-agent and socket permission check

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 24 Jul 2014 19:32, "Damien Miller" <djm@xxxxxxxxxxx> wrote:
>
> On Fri, 25 Jul 2014, Igor Bukanov wrote:
>
> > On 25 July 2014 00:09, Damien Miller <djm@xxxxxxxxxxx> wrote:
> >
> > > It shouldn't be anyway. We ship it setgid by default and also use
> > > prctl()
> > > on Linux to prevent ptrace()
> >
> > So with that setup on Linux it is not possible for an ordinary account
to
> > read memory of ssh-agent barring a kernel bug? In any case, as in my
case
> > everything runs in a container with no setuid/setguid binaries
available,
> > that would not help.
>
> If you are on Linux then prctl will still prevent ptrace, even without
> setgid.

Yeah but from memory ssh-agent will also call getpeereid() on the
connecting socket, which will prevent other uids in the same group from
making use of the key without exposing it to copying.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux