Hello, this may be a stupid question, but I'll ask anyways because I was unable to get a satisfying answer somwhere else. So feel free to simply point out my stupidity, if the problem lies only there. The question: If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*), with the socket's and the directory's permissions set to 600. However, if I now connect to a remote host with agent-forwarding enabled, the resulting socket on the remote host gets permissions 755 (the directory still gets 700). What bothers me is the go+rx part, is there any specific reason to that? If not, wouldn't it be better to be paranoid and use 600? The behaviour above applies to Linux (Debian testing, OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006), as well as Solaris (Solaris 10 06/06 x86, OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006) and FreeBSD (5.4, OpenSSH_3.6.1, SSH protocols 1.5/2.0, OpenSSL 0x0090804f). Unfortunately I have no OpenBSD box available to test that behaviour, so it could perhaps only affect portable OpenSSH. Ciao, Alexander Wuerstlein.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri 2007-03-23 11:29:34 -0400, Alexander Wuerstlein wrote:> If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*), > with the socket's and the directory's permissions set to > 600. However, if I now connect to a remote host with > agent-forwarding enabled, the resulting socket on the remote host > gets permissions 755 (the directory still gets 700). > > What bothers me is the go+rx part, is there any specific reason to that? > If not, wouldn't it be better to be paranoid and use 600?I seem to recall that many Unices ignore permissions on sockets (i think linux does *not* ignore them), and usually rely on the parent directory for access control. I haven't been able to dig up a good authoritative reference for this, but here's a URL which implies the above. http://www.openldap.org/lists/openldap-software/200306/msg00106.html I think that setting the permissions restrictively would be wise (and consistent with the initial socket creation), but given the directory setup, it's not immediately critical. just my $0.02, --dkg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/> iD8DBQFGBqaIiXTlFKVLY2URAi96AJ9yytiefpPhMbj+O7EWEqP3w20gIACePGC5 zKuTT1rMgGegru4j6Z2yE08=LF+/ -----END PGP SIGNATURE-----
Reasonably Related Threads
- Quadrified GTX 480 VT-d passthrough. CUDA 5.5 in Linux partial success
- Agent Forwarding Anomalies on OpenBSD 3.3/OpenSSH 3.6.1
- new related project nutdown: https://github.com/arwarw/nutdown
- OpenSSH-Client without reverse tunnel ability
- Using Dropbear for RTOS which is not POSIX complaint?