On 24 Jul 2014 19:32, "Damien Miller" <djm@xxxxxxxxxxx> wrote: > > On Fri, 25 Jul 2014, Igor Bukanov wrote: > > > On 25 July 2014 00:09, Damien Miller <djm@xxxxxxxxxxx> wrote: > > > > > It shouldn't be anyway. We ship it setgid by default and also use > > > prctl() > > > on Linux to prevent ptrace() > > > > So with that setup on Linux it is not possible for an ordinary account to > > read memory of ssh-agent barring a kernel bug? In any case, as in my case > > everything runs in a container with no setuid/setguid binaries available, > > that would not help. > > If you are on Linux then prctl will still prevent ptrace, even without > setgid. Yeah but from memory ssh-agent will also call getpeereid() on the connecting socket, which will prevent other uids in the same group from making use of the key without exposing it to copying. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev