Re: OpenSSH 3.5p1

To: debian-ssh@lists.debian.org
Subject: Re: OpenSSH 3.5p1
From: Jason Lunz <lunz@falooley.org>
Date: Thu, 24 Oct 2002 18:02:43 +0000 (UTC)
Message-id: <[🔎] slrnargdg4.dhm.lunz@stoli.localnet>
References: <[🔎] 20021024153529.GA8920@riva.ucam.org>

cjwatson@debian.org said:
> I'm currently putting together packages for 3.5p1. The Debian patches
> forward-port without too much trouble, etc. However, is anyone in a
> position to explain briefly what this "install ssh-agent setgid to avoid
> ptrace attacks" thing is about?
> 
> Also, although it appears to drop privileges immediately and not regain
> them, will it provide additional security to use a special-purpose
> group? The Red Hat packages in OpenSSH CVS use group nobody.

from ptrace(2):

EPERM  The  specified  process  cannot be traced.  This could be because the
       has insufficient privileges; non-root processes cannot trace
       processes that they  cannot  send  signals  to or those running
       setuid/setgid programs, for obvious reasons.  Alternatively, the
       process may already be being traced, or be init (pid 1).  

So it would seem that by making ssh-agent setgid, other processes are
prevented from using ptrace to attach to ssh-agent and steal secrets.
Though it seems that if you can ptrace attach to an ssh-agent, you could
just connect to its unix socket like ssh does. 

Overall, limiting the ways to get secrets out of ssh-agent is a Good
Thing, I'd say.

To answer your question, it would seem that the group is of no
consequence. It's the fact that the binary is setgid anygroup that's
important.

Jason

Reply to:

Follow-Ups:
- Re: OpenSSH 3.5p1
  - From: Colin Watson <cjwatson@debian.org>

References:
- OpenSSH 3.5p1
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: OpenSSH 3.5p1
Next by Date: Re: OpenSSH 3.5p1
Previous by thread: OpenSSH 3.5p1
Next by thread: Re: OpenSSH 3.5p1
Index(es):
- Date
- Thread