Bug#882475: weird access permission to ssh-agent's socket

To: Harald Dunkel <harald.dunkel@aixigo.de>
Cc: 882475@bugs.debian.org
Subject: Bug#882475: weird access permission to ssh-agent's socket
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 24 Nov 2017 09:48:31 +0000
Message-id: <[🔎] 20171124094830.pzi5jsc4n6jxhqxy@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 882475@bugs.debian.org
In-reply-to: <20171124083756.66954b44@dpcl082.ac.aixigo.de>
References: <[🔎] 9338eabf-196d-3e5b-26af-4508e4bcb551@aixigo.de> <20171123111038.dgg3cbgu3q4npwg4@riva.ucam.org> <20171124083756.66954b44@dpcl082.ac.aixigo.de> <[🔎] 9338eabf-196d-3e5b-26af-4508e4bcb551@aixigo.de>

On Fri, Nov 24, 2017 at 08:37:56AM +0100, Harald Dunkel wrote:
> It is possible to bind mount or hard link the socket to another
> path. Of course this still requires appropriate access permissions,
> but the point is that you cannot be sure that the socket stays
> visible just within this single directory created by sshd.

That's why there's also a getpeereid check, which ensures that that's
not a problem even if somebody does that.

> Please reconsider. I would guess its easy to fix. 

Feel free to ask this upstream yourself (https://bugzilla.mindrot.org/),
but since I can't construct a situation where this is a practical
problem I'm not going to forward it.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#882475: weird access permission to ssh-agent's socket
  - From: Harald Dunkel <harald.dunkel@aixigo.de>

Prev by Date: Bug#882475: marked as done (weird access permission to ssh-agent's socket)
Next by Date: Bug#841237: openssh-server: force exact permissions on newly uploaded files and directories
Previous by thread: Bug#882475: marked as done (weird access permission to ssh-agent's socket)
Next by thread: Bug#841237: openssh-server: force exact permissions on newly uploaded files and directories
Index(es):
- Date
- Thread