Bug#711623: Re: Bug#711623: ssh-agent: Removes LD_LIBRARY_PATH from environment
Hi,
>> ssh-agent removes the $LD_LIBRARY_PATH from the environment it was started in.
>
> This is a direct consequence of it being setgid, which is required to
> protect the keys it stores from being retrievable using ptrace attacks;
> I'm afraid that's much more important. It's also documented in
> README.Debian. If you need to use LD_LIBRARY_PATH in conjunction with
> ssh-agent, you'll need to put it in something underneath ssh-agent in
> the process tree.
Hm, I see. Wouldn't it be possible to script this in a way that just
ssh-agent runs without the previously set LD_LIBRARY_PATH, but the
program it runs maintains the previous path? Something like, or
equivalent to:
eval `ssh-agent -s`
the-program-to-run
Unfortunately, the issue is not solved by saying "just do the setup
inside the exec'ed function". The program typically run "inside"
ssh-agent is dbus-launch (it's added to the $STARTUP first), so this
removal of environment variables means that dbus-activated programs use
an incorrect environment. The README gives no indication how this could
be solved, and actually the only idea I could come up with involves
changing the global /etc/X11/Xsession.d files, which should not be
necessary just to properly run a desktop in a different environment.
What about the askpass program? It's a Qt/KDE program as well and should
therefore have the same environment as the session. In fact, askpass and
pinentry (for gpg) were the initial reason why I did all this
environment set-up in .xsessionrc, not in .xsession - at least one of
them didn't work properly otherwise.
The net effect of this behaviour is that .xsessionrc is hardly useful.
IMHO this issue should be mentioned in the manpage as well. That's where
I looked for any documentation about any effects on the environment, and
found none related to this problem.
Kind regards
Ralf
Reply to: