From owner-freebsd-security@FreeBSD.ORG Thu Apr 16 19:13:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06D592E6 for ; Thu, 16 Apr 2015 19:13:58 +0000 (UTC) Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EBF7B59 for ; Thu, 16 Apr 2015 19:13:56 +0000 (UTC) X-AuditID: c1b4fb3a-f79146d0000070a3-1a-55300663b9b5 Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id C1.E1.28835.36600355; Thu, 16 Apr 2015 20:58:43 +0200 (CEST) Received: from ESESSMB309.ericsson.se ([169.254.9.169]) by ESESSHC016.ericsson.se ([153.88.183.66]) with mapi id 14.03.0210.002; Thu, 16 Apr 2015 20:58:43 +0200 From: =?iso-8859-1?Q?K=E1roly_Arnhoffer?= To: "freebsd-security@freebsd.org" Subject: setgid ssh-agent Thread-Topic: setgid ssh-agent Thread-Index: AdB4dpMMZI+kQKoTQo6vLDjk6ciJlg== Date: Thu, 16 Apr 2015 18:58:42 +0000 Message-ID: <08700910B5A5E84EB1D9B4504501B63D0FB0276D@ESESSMB309.ericsson.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.150] MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRmVeSWpSXmKPExsUyM+JvjW4ym0Gowf1/uhY9m56wOTB6zPg0 nyWAMYrLJiU1J7MstUjfLoEr4/q0xYwFPxUrvj25y9zAOFuui5GDQ0LAROL8kdouRk4gU0zi wr31bF2MXBxCAkcZJVpnnmSGcJYwSqyc3skKUsUm4CnR1HkczBYRcJTYPe86O4gtLCAp0bbw GztEXE6i/dszKFtP4velX2A2i4CqxLSHLxhBbF4BX4mbj2eCzWEE2vz91BomEJtZQFzi1pP5 TBAXCUgs2XOeGcIWlXj5+B8rhK0ksWL7JUaI+nyJS92bmSBmCkqcnPmEZQKj0Cwko2YhKZuF pAwiridxY+oUNghbW2LZwtfMELauxIx/h1iQxRcwsq9iFC1OLS7OTTcy0kstykwuLs7P08tL LdnECIyJg1t+W+1gPPjc8RCjAAejEg+vQod+qBBrYllxZe4hRmkOFiVxXjvjQyFCAumJJanZ qakFqUXxRaU5qcWHGJk4OKUaGGMWWbPOaTXbl17fcvXnCjazB88YOFat9HGfHLZ54WyNTjdH 1dTn9WVP763ccP71pue/4vdvs3/YMift79bVd5s+Oro9Y8kRuKj4Xa1+vtS/6/NelNvP3Cbw M/4F0//PFRtrA0177/xY8EXb70THrYWxm+dGh4nl+GvuKJkVHnBWyPjfp2WbpTcqsRRnJBpq MRcVJwIAjVhuRmoCAAA= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2015 19:13:58 -0000 Hi, As I can see OpenSSH's ssh-agent is not setgid as it is for example in all = the Linux distributions I know. They say ssh-agent is needed to be setgid to a group that owns nothing so t= hat it can be safe from ptrace. It seems to me that ptrace is functionally = the same in FreeBSD as well, even thoug, ssh-agent is not setgid. Some links about the topic: http://unix.stackexchange.com/questions/141082/why-ssh-agent-group-ownershi= p-is-not-root http://serverfault.com/questions/290920/why-does-ssh-agent-have-sgid-set http://comments.gmane.org/gmane.linux.debian.devel.ssh/59 In my FreeBSD 10.1-RELEASE the stock ssh-agent is owned by root:wheel and n= ot setgid. Why? Thanks! Karoly