Why does ssh-agent have SGID set?

Question

In the openssh Red Hat package, I noticed that the ssh-agent executable has the SGID permission set:

$ ls -l /usr/bin/ssh-agent
-rwxr-sr-x 1 root nobody 113648 Nov 24  2010 /usr/bin/ssh-agent

Why would the openssh developers want ssh-agent to run with the nobody group? Or maybe I am misunderstanding what SGID does?

score 6 · Accepted Answer · answered Jul 16 '11 at 04:09

6

Well, mine's setgid to the ssh group. I'm guessing you're on a RedHat-derived system; they love to abuse the nobody user/group.

A bit of googling suggests that the setgid is to prevent a security vulnerability whereby secret key material is obtained by ptracing the agent (http://comments.gmane.org/gmane.linux.debian.devel.ssh/59). Making the process setgid-anything means that ptracing by non-root (or at least non-CAP_SYS_PTRACE) users is EPERMed.

answered Jul 16 '11 at 04:09

womble

96,255
29
175
230

Thank you for leading me the right direction. Appreciate it. – Belmin Fernandez Jul 16 '11 at 14:02
Why the group ownership of ssh-agent is noboby not root? – Ask and Learn Jul 07 '14 at 06:58
@AskandLearn: Because if it runs SGID root, it has root-equivalent powers, and so any vulnerability in `ssh-agent` would suddenly be a root-level vulnerability -- which would be very, *very* bad. – womble Jul 08 '14 at 10:35

Why does ssh-agent have SGID set?

1 Answers1