From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: Move the ssh-agent socket from /tmp to $HOME/.ssh/
To: Jay Acuna <mysidia@gmail.com>
Cc: Ted Unangst <tedu@tedunangst.com>, Theo de Raadt <deraadt@openbsd.org>,  Jesper Wallin <jesper@ifconfig.se>, tech@openbsd.org
Date: Wed, 30 Apr 2025 09:33:11 +0100

On 2025/04/29 14:49, Jay Acuna wrote:
> On Tue, Apr 29, 2025 at 1:00 PM Ted Unangst <tedu@tedunangst.com> wrote:
> > On 2025-04-29, Theo de Raadt wrote:
> > > ~/can be on NFS, whereas /tmp is gauranteed to be local.
> 
> > Does that matter? There can be several sockets, and just having
> > one from another machine doesn't mean anything, ssh won't use it.
> 
> I think the SSH socket files are inherently temporary and ~  is not meant
> to be used as app scratch space for temp files.   As mentioned;
> the homedir is commonly a remote mount.
> 
> I would have an alternate suggestion..  create a  mkdir -p
> /tmp/username.private.$$/ssh subdirectory
> within /tmp   and choose that subdirectory for the SSH socket.
> 
> Then use your unveil(2) to subdivide the restrictions on /tmp  further
> and  block access to everything
> below that  user's  /tmp/username.private.$$   subdirectory    that
> has the ssh subdirectory
> while still allowing access at  the  /tmp  folder  level itself.

as described in unveil(2), the first call to unveil hides all filesystem
access apart from the listed file or directory subtree.

subsequent calls open up ("unveil") access to other files/dirs, this is
repeated until all wanted dirs are "unveiled", the list is then locked.

the mechanism doesn't allow "permit /foo but deny /foo/bar".