debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06986
[Bug 2122497] [NEW] ssh-agent needlessly has setgid bit set
Public bug reported:
In seemignly all Ubuntu versions, ssh-agent has its setgid bit set.
Based on what I've managed to dig up from the archives, this seems to
have been implemented as a measure to disallow ptracing the process (for
security reasons). Later, ptracing SSH agent was instead disallowed by
setting PR_SET_DUMPABLE to 0:
https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
In our terminal server software ThinLinc, this poses a problem as we use
LD_LIBRARY_PATH to tunnel smart cards over the network. With the setgid
bit set, LD_LIBRARY_PATH is stripped, meaning that network smart card
tunneling does not work with ssh-agent on Ubuntu.
Many other distributions, for example RedHat-derivatives, use the above
linked PR_SET_DUMPABLE approach to making ssh-agent un-ptraceable.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-client 1:9.6p1-3ubuntu13.13
ProcVersionSignature: Ubuntu 6.14.0-29.29~24.04.1-generic 6.14.8
Uname: Linux 6.14.0-29-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Wed Sep 10 11:26:04 2025
InstallationDate: Installed on 2024-07-09 (428 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm
XDG_RUNTIME_DIR=<set>
RelatedPackageVersions:
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_9.6p1 Ubuntu-3ubuntu13.13, OpenSSL 3.0.13 30 Jan 2024
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2122497
Title:
ssh-agent needlessly has setgid bit set
Status in openssh package in Ubuntu:
New
Bug description:
In seemignly all Ubuntu versions, ssh-agent has its setgid bit set.
Based on what I've managed to dig up from the archives, this seems to
have been implemented as a measure to disallow ptracing the process
(for security reasons). Later, ptracing SSH agent was instead
disallowed by setting PR_SET_DUMPABLE to 0:
https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
In our terminal server software ThinLinc, this poses a problem as we
use LD_LIBRARY_PATH to tunnel smart cards over the network. With the
setgid bit set, LD_LIBRARY_PATH is stripped, meaning that network
smart card tunneling does not work with ssh-agent on Ubuntu.
Many other distributions, for example RedHat-derivatives, use the
above linked PR_SET_DUMPABLE approach to making ssh-agent un-
ptraceable.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-client 1:9.6p1-3ubuntu13.13
ProcVersionSignature: Ubuntu 6.14.0-29.29~24.04.1-generic 6.14.8
Uname: Linux 6.14.0-29-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Wed Sep 10 11:26:04 2025
InstallationDate: Installed on 2024-07-09 (428 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm
XDG_RUNTIME_DIR=<set>
RelatedPackageVersions:
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_9.6p1 Ubuntu-3ubuntu13.13, OpenSSL 3.0.13 30 Jan 2024
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2122497/+subscriptions
