From: Jesper Wallin Subject: Move the ssh-agent socket from /tmp to $HOME/.ssh/ To: tech@openbsd.org Date: Wed, 23 Apr 2025 10:33:06 +0200 Hi all, A program may use unveil(2) to limit access to the filesystem in case the program is compromised. This will hopefully keep sensitive files like your private keys in ~/.ssh safe when behemoths like firefox or chromium are compromised. However, these programs also require access to /tmp and many of the moving parts have "rwc" access to it. Now, when you start xenodm and have a valid ssh key in your ~/.ssh, it will run ssh-agent and ssh-add, which asks for your password and add it to the running agent. If no bind_address is specified (-a) for ssh-agent, it will create a socket in $TMPDIR/ssh-XXXXXXXXXX/agent. and set $SSH_AUTH_SOCK. In other words, a program that has access to /tmp, can also access the socket for ssh-agent and use your unlocked keys to authenticate with. So, a simple fix for this would be to move the socket out of /tmp and place it in ~/.ssh/ or something. Maybe there's a package that needs access to the agent but still no access to ~/.ssh? I could probably be wrong here, but /tmp seems like a too "broad" directory to place it in, in terms of unveil(2) and restricting filesystem access. Index: app/xenodm/config/Xsession.in =================================================================== RCS file: /cvs/xenocara/app/xenodm/config/Xsession.in,v diff -u -p -r1.2 Xsession.in --- app/xenodm/config/Xsession.in 1 Jul 2022 20:42:06 -0000 1.2 +++ app/xenodm/config/Xsession.in 23 Apr 2025 07:35:41 -0000 @@ -28,7 +28,7 @@ then for k in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_dsa do if [ -f "$HOME/.ssh/$k" ]; then - eval `ssh-agent -s` + eval `ssh-agent -s -a "$HOME/.ssh/ssh-agent.socket"` ssh-add < /dev/null break fi