Why does ssh-agent have SGID set?

ssh linux permissions redhat ssh-agent

In the openssh Red Hat package, I noticed that the ssh-agent executable has the SGID permission set:

$ ls -l /usr/bin/ssh-agent
-rwxr-sr-x 1 root nobody 113648 Nov 24  2010 /usr/bin/ssh-agent

Why would the openssh developers want ssh-agent to run with the nobody group? Or maybe I am misunderstanding what SGID does?


Well, mine's setgid to the ssh group. I'm guessing you're on a RedHat-derived system; they love to abuse the nobody user/group.

A bit of googling suggests that the setgid is to prevent a security vulnerability whereby secret key material is obtained by ptracing the agent (http://comments.gmane.org/gmane.linux.debian.devel.ssh/59). Making the process setgid-anything means that ptracing by non-root (or at least non-CAP_SYS_PTRACE) users is EPERMed.

Related

Backups take so long that the firewall closes the connection
Can I make git extract a working copy only from a remote repository?
Permission error during installation of Microsoft SQL Server 2008 R2
High CPU usage of flush process
Virtual Host - Server not found
What is the difference between the properties Keys and AllKeys on a NameValueCollection?
How do I get a NameTable from an XDocument?
Unable to apply publish properties?
ldconfig equivalent in Mac OS X?
How are .NET 4 GUIDs generated?
Easiest way to read the response from WebResponse
Row_Number() with union query