i recently noticed something odd about the way forwarded ssh-agent
sessions work:
when i use ssh-agent and allow it to be forwarded to another host
(trusted of course) i noticed that the remote agent does not appear to
drop privileges, notice how the socket and socket directory are
created in /tmp:
[eb@dogbert eb]$ ll -d /tmp/ssh-ONn15369/
drwx------ 2 eb root 1024 Jul 1 12:53 /tmp/ssh-ONn15369/
[eb@dogbert eb]$ ll /tmp/ssh-ONn15369/
total 0
srwxr-xr-x 1 eb root 0 Jul 1 12:53 agent.15369
two problems i see here, 1) the agent is not dropping gid=root
privileges when creating the socket, and 2) the agent is not setting a
proper create mode when the actual socket is created, the socket
should have 0600 permissions IMO, even if it is protected by a `gate'
directory.
and then i noticed this:
[eb@dogbert eb]$ ps aux | grep 15369
root 15369 0.1 1.8 3244 1724 ? S 12:53 0:00 /usr/sbin/sshd
eb 15398 0.0 0.5 1260 480 pts/0 S 12:59 0:00 grep 15369
[eb@dogbert eb]$ ps aufx | grep sshd
root 14037 0.0 0.9 2240 944 ? S Jun28 0:06 /usr/sbin/sshd
root 15369 0.1 1.8 3244 1724 ? S 12:53 0:00 \_ /usr/sbin/sshd
eb 15400 0.0 0.5 1260 480 pts/0 S 12:59 0:00 \_ grep sshd
[eb@dogbert eb]$
why isn't a ssh-agent process forked to handle the socket? instead we
have a fully root owned process listening on a socket, is that safe?
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
