Hi all,

A program may use unveil(2) to limit access to the filesystem in case
the program is compromised.  This will hopefully keep sensitive files
like your private keys in ~/.ssh safe when behemoths like firefox or
chromium are compromised.  However, these programs also require access
to /tmp and many of the moving parts have "rwc" access to it.

Now, when you start xenodm and have a valid ssh key in your ~/.ssh, it
will run ssh-agent and ssh-add, which asks for your password and add it
to the running agent.

If no bind_address is specified (-a) for ssh-agent, it will create a
socket in $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> and set $SSH_AUTH_SOCK.

In other words, a program that has access to /tmp, can also access the
socket for ssh-agent and use your unlocked keys to authenticate with.

So, a simple fix for this would be to move the socket out of /tmp and
place it in ~/.ssh/ or something.  Maybe there's a package that needs
access to the agent but still no access to ~/.ssh?  I could probably be
wrong here, but /tmp seems like a too "broad" directory to place it in,
in terms of unveil(2) and restricting filesystem access.


Index: app/xenodm/config/Xsession.in
===================================================================
RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v
diff -u -p -r1.2 Xsession.in
--- app/xenodm/config/Xsession.in	1 Jul 2022 20:42:06 -0000	1.2
+++ app/xenodm/config/Xsession.in	23 Apr 2025 07:35:41 -0000
@@ -28,7 +28,7 @@ then
 	for k in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_dsa
 	do
 		if [ -f "$HOME/.ssh/$k" ]; then
-			eval `ssh-agent -s`
+			eval `ssh-agent -s -a "$HOME/.ssh/ssh-agent.socket"`
 			ssh-add < /dev/null
 			break
 		fi