> Running the 20101126 snapshot, I was poking around a bit this morning > and noticed a possible permissions issue. > > $ ls -l /tmp/ssh-U7b26QotNu5v/agent.12708 > srwxr-xr-x 1 test wheel 0 Nov 28 15:57 /tmp/ssh-U7b26QotNu5v/agent.12708
If you look closer you will see that /tmp/ssh-U7b26QotNu5v itself drwx-------, which means you cannot get at the socket. > ssh-agent (1): > $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> > UNIX-domain sockets used to contain the connection to the > authentication agent. These sockets should only be readable by > the owner. The sockets should get automatically removed when the > agent exits. > [...] > A UNIX-domain socket is created and the name of this socket is stored in > the SSH_AUTH_SOCK environment variable. The socket is made accessible > only to the current user. This method is easily abused by root or > another instance of the same user. > > > Should auth-agent be setting the socket permission to 0700? That cannot be done reliably on many operating systems, since their AF_UNIX socket() calls ignore the umask. Doing a chmod afterwards still exposes a race. However, it is not important since the closed directory was created atomically.
