mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-07-09 12:09:24 -04:00
fix(permission-hardener): ssh-agent gets 2755 perms
Change from exactwhitelist to matchwhitelist. Discussion revealed that there's a good reason to leave setgid in here, which is essentially defense-in-depth (sometimes users may want to revert Kicksecure's default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and Kicksecure should not be less secure than vanilla Debian in that situation).
This commit is contained in:
parent
c59b2e4bc5
commit
3559bc86b7
1 changed files with 3 additions and 8 deletions
|
@ -8,14 +8,9 @@
|
|||
## Used for SSH client key management
|
||||
## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
|
||||
## Debian installs ssh-agent with setgid permissions (2755) and with
|
||||
## _ssh as the group to prevent ptrace attacks that could extract
|
||||
## private keys from the agent's memory. However, as Kicksecure makes use
|
||||
## of kernel.yama.ptrace_scope=2 by default, this is not a concern.
|
||||
##
|
||||
## ssh-agent is often run under non-root users, so 755 permissions make
|
||||
## sense here to avoid breakage.
|
||||
/usr/bin/ssh-agent exactwhitelist
|
||||
/usr/bin/ssh-agent 755 root root
|
||||
## _ssh as the group to help mitigate ptrace attacks that could extract
|
||||
## private keys from the agent's memory.
|
||||
ssh-agent matchwhitelist
|
||||
|
||||
## Used only for SSH host-based authentication
|
||||
## https://linux.die.net/man/8/ssh-keysign
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue