Re: OpenSSH 3.5p1
On Thu, Oct 24, 2002 at 06:02:43PM +0000, Jason Lunz wrote:
> cjwatson@debian.org said:
> > I'm currently putting together packages for 3.5p1. The Debian patches
> > forward-port without too much trouble, etc. However, is anyone in a
> > position to explain briefly what this "install ssh-agent setgid to avoid
> > ptrace attacks" thing is about?
> >
> > Also, although it appears to drop privileges immediately and not regain
> > them, will it provide additional security to use a special-purpose
> > group? The Red Hat packages in OpenSSH CVS use group nobody.
>
> from ptrace(2):
>
> EPERM The specified process cannot be traced. This could be because the
> has insufficient privileges; non-root processes cannot trace
> processes that they cannot send signals to or those running
> setuid/setgid programs, for obvious reasons. Alternatively, the
> process may already be being traced, or be init (pid 1).
Ah, I understand now. Thanks for the clarification.
[cjwatson@arborlon ~]$ ls -l /usr/bin/ssh-agent
-rwxr-sr-x 1 root nogroup 47368 Oct 24 15:15 /usr/bin/ssh-agent
[cjwatson@arborlon ~]$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XXt4IObF/agent.9009; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9010; export SSH_AGENT_PID;
echo Agent pid 9010;
[cjwatson@arborlon ~]$ strace -p 9010
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted
> To answer your question, it would seem that the group is of no
> consequence. It's the fact that the binary is setgid anygroup that's
> important.
Right. At the risk of complicating ssh.postinst further, though, I think
I might make it setgid ssh just to forestall (rightly) panicky bug
reports from those who haven't read the beginning of ssh-agent's main().
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: