From 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 17:07:51 -0600 Subject: [PATCH 1/3] fix(permission-hardener): ssh-agent gets 755 perms Replace the commented-out matchwhitelist entry for ssh-agent with an explicit permission entry (755) for /usr/bin/ssh-agent. When ssh-agent's matchwhitelist entry was commented out in commit 7a5f8b87af, permission-hardener began resetting it to restrictive defaults (744), preventing non-root users from executing ssh-agent. This broke split SSH functionality in Qubes OS for me because I was using Kicksecure in the vault qube, and ssh-agent runs under a non-root user in that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). As noted in the comment, Debian installs with 2755 permissions as a way to mitigate ptrace attacks, but this rationale doesn't apply due to kernel.yama.ptrace_scope=2 being set in Kicksecure. --- .../25_default_whitelist_ssh.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 8688dfe..5415197 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -5,11 +5,21 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Used for SSH client key management +## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## Debian installs ssh-agent with setgid permissions (2755) and with +## _ssh as the group to prevent ptrace attacks that could extract +## private keys from the agent's memory. However, as Kicksecure makes use +## of kernel.yama.ptrace_scope=2 by default, this is not a concern. +## +## ssh-agent is often run under non-root users, so 755 permissions make +## sense here to avoid breakage. +/usr/bin/ssh-agent 755 root root + ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign ## Needed to allow access to the machine's host key for use in the ## authentication process. This is a non-default method of authenticating to ## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-agent matchwhitelist #ssh-keysign matchwhitelist #/usr/lib/openssh matchwhitelist From 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 18:41:48 -0600 Subject: [PATCH 2/3] fix(permission-hardener): add exactwhitelist here Without this, the permissions for ssh-agent won't be changed properly. --- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 5415197..767cd08 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -14,6 +14,7 @@ ## ## ssh-agent is often run under non-root users, so 755 permissions make ## sense here to avoid breakage. +/usr/bin/ssh-agent exactwhitelist /usr/bin/ssh-agent 755 root root ## Used only for SSH host-based authentication From 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 27 May 2025 15:32:41 -0600 Subject: [PATCH 3/3] fix(permission-hardener): ssh-agent gets 2755 perms Change from exactwhitelist to matchwhitelist. Discussion revealed that there's a good reason to leave setgid in here, which is essentially defense-in-depth (sometimes users may want to revert Kicksecure's default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and Kicksecure should not be less secure than vanilla Debian in that situation). --- .../25_default_whitelist_ssh.conf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 767cd08..2b55bd2 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -8,14 +8,9 @@ ## Used for SSH client key management ## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html ## Debian installs ssh-agent with setgid permissions (2755) and with -## _ssh as the group to prevent ptrace attacks that could extract -## private keys from the agent's memory. However, as Kicksecure makes use -## of kernel.yama.ptrace_scope=2 by default, this is not a concern. -## -## ssh-agent is often run under non-root users, so 755 permissions make -## sense here to avoid breakage. -/usr/bin/ssh-agent exactwhitelist -/usr/bin/ssh-agent 755 root root +## _ssh as the group to help mitigate ptrace attacks that could extract +## private keys from the agent's memory. +ssh-agent matchwhitelist ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign