Mailing List Archive

On Tue, Apr 29, 2025 at 07:48:35AM -0600, Theo de Raadt wrote: > ~/can be on NFS, whereas /tmp is gauranteed to be local. > > Your proposal has some pretty big consequences. Oh, good point. Yeah, that complicates things. > As for your problem with /tmp versus in a sub-directory of home, I > don't see how this is actually solving it. > > Unveil does not solve the problem if non-unveiled programs accessing > files. It only prevents unveiled programs from accessing such files, > obviously. Hehe, obviously. The scenario I had in mind was Firefox, where each process is unveiled to only have accesses to the file and directories it needs access to. Though, every single process of Firefox has 'rwc' access to /tmp. So if Firefox got compromised, it can still access my ssh-agent socket that lives in /tmp. Though, Firefox does not have access to ~/.ssh. > Jesper Wallin <jesper@ifconfig.se> wrote: > > > Hi all, > > > > A program may use unveil(2) to limit access to the filesystem in case > > the program is compromised. This will hopefully keep sensitive files > > like your private keys in ~/.ssh safe when behemoths like firefox or > > chromium are compromised. However, these programs also require access > > to /tmp and many of the moving parts have "rwc" access to it. > > > > Now, when you start xenodm and have a valid ssh key in your ~/.ssh, it > > will run ssh-agent and ssh-add, which asks for your password and add it > > to the running agent. > > > > If no bind_address is specified (-a) for ssh-agent, it will create a > > socket in $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> and set $SSH_AUTH_SOCK. > > > > In other words, a program that has access to /tmp, can also access the > > socket for ssh-agent and use your unlocked keys to authenticate with. > > > > So, a simple fix for this would be to move the socket out of /tmp and > > place it in ~/.ssh/ or something. Maybe there's a package that needs > > access to the agent but still no access to ~/.ssh? I could probably be > > wrong here, but /tmp seems like a too "broad" directory to place it in, > > in terms of unveil(2) and restricting filesystem access. > > > > > > Index: app/xenodm/config/Xsession.in > > =================================================================== > > RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v > > diff -u -p -r1.2 Xsession.in > > --- app/xenodm/config/Xsession.in 1 Jul 2022 20:42:06 -0000 1.2 > > +++ app/xenodm/config/Xsession.in 23 Apr 2025 07:35:41 -0000 > > @@ -28,7 +28,7 @@ then > > for k in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_dsa > > do > > if [ -f "$HOME/.ssh/$k" ]; then > > - eval `ssh-agent -s` > > + eval `ssh-agent -s -a "$HOME/.ssh/ssh-agent.socket"` > > ssh-add < /dev/null > > break > > fi > >

2025-04-23 08:33 Jesper Wallin:
Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 13:48 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- - 2025-04-29 14:03 Jesper Wallin:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/
  - - 2025-04-29 14:06 Theo de Raadt:
      Move the ssh-agent socket from /tmp to $HOME/.ssh/
    - - 2025-04-29 14:31 Jesper Wallin:
        Move the ssh-agent socket from /tmp to $HOME/.ssh/