Mailing List Archive

From:: "Theo de Raadt" <deraadt@openbsd.org>
Subject:: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To:: Christian Weisgerber <naddy@mips.inka.de>
Cc:: tech@openbsd.org
Date:: Tue, 29 Apr 2025 09:38:22 -0600

Download raw body.

Thread

2025-04-29 15:29 Christian Weisgerber:
Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 15:34 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 15:38 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- - 2025-04-29 16:05 Stuart Henderson:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/
  - 2025-04-29 18:05 H. Hartzer:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/

Are we missing a pledge behaviour that would block opening of
AF_UNIX sockets?

Or is gaining access to other AF_UNIX sockets the main reason why
the browsers are accessing /tmp?

And of course, the problem with a such a pledge, is that it would affect
everywhere in the filesystem.  But maybe there is some restriction we can
impose which blocks this.

2025-04-29 15:29 Christian Weisgerber:
Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 15:34 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- 2025-04-29 15:38 Theo de Raadt:
  Move the ssh-agent socket from /tmp to $HOME/.ssh/
- - 2025-04-29 16:05 Stuart Henderson:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/
  - 2025-04-29 18:05 H. Hartzer:
    Move the ssh-agent socket from /tmp to $HOME/.ssh/