As far as I know, the PR_SET_DUMPABLE approach is insufficient: you might manage to attach to the process using ptrace before it reaches the code that makes itself non-dumpable. That's why I've retained the setgid bit.
I would be happy to learn I'm wrong on this, but I would need some pretty authoritative references. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2122497 Title: ssh-agent needlessly has setgid bit set Status in openssh package in Ubuntu: New Bug description: In seemignly all Ubuntu versions, ssh-agent has its setgid bit set. Based on what I've managed to dig up from the archives, this seems to have been implemented as a measure to disallow ptracing the process (for security reasons). Later, ptracing SSH agent was instead disallowed by setting PR_SET_DUMPABLE to 0: https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e In our terminal server software ThinLinc, this poses a problem as we use LD_LIBRARY_PATH to tunnel smart cards over the network. With the setgid bit set, LD_LIBRARY_PATH is stripped, meaning that network smart card tunneling does not work with ssh-agent on Ubuntu. Many other distributions, for example RedHat-derivatives, use the above linked PR_SET_DUMPABLE approach to making ssh-agent un- ptraceable. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: openssh-client 1:9.6p1-3ubuntu13.13 ProcVersionSignature: Ubuntu 6.14.0-29.29~24.04.1-generic 6.14.8 Uname: Linux 6.14.0-29-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.8 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed Sep 10 11:26:04 2025 InstallationDate: Installed on 2024-07-09 (428 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm XDG_RUNTIME_DIR=<set> RelatedPackageVersions: ssh-askpass N/A libpam-ssh N/A keychain N/A ssh-askpass-gnome N/A SSHClientVersion: OpenSSH_9.6p1 Ubuntu-3ubuntu13.13, OpenSSL 3.0.13 30 Jan 2024 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2122497/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
