Re: OpenSSH 3.5p1
cjwatson@debian.org said:
> I'm currently putting together packages for 3.5p1. The Debian patches
> forward-port without too much trouble, etc. However, is anyone in a
> position to explain briefly what this "install ssh-agent setgid to avoid
> ptrace attacks" thing is about?
>
> Also, although it appears to drop privileges immediately and not regain
> them, will it provide additional security to use a special-purpose
> group? The Red Hat packages in OpenSSH CVS use group nobody.
from ptrace(2):
EPERM The specified process cannot be traced. This could be because the
has insufficient privileges; non-root processes cannot trace
processes that they cannot send signals to or those running
setuid/setgid programs, for obvious reasons. Alternatively, the
process may already be being traced, or be init (pid 1).
So it would seem that by making ssh-agent setgid, other processes are
prevented from using ptrace to attach to ssh-agent and steal secrets.
Though it seems that if you can ptrace attach to an ssh-agent, you could
just connect to its unix socket like ssh does.
Overall, limiting the ways to get secrets out of ssh-agent is a Good
Thing, I'd say.
To answer your question, it would seem that the group is of no
consequence. It's the fact that the binary is setgid anygroup that's
important.
Jason
Reply to: