security-misc/usr
Ashlen 94dc9da4ab
fix(permission-hardener): ssh-agent gets 755 perms
Replace the commented-out matchwhitelist entry for ssh-agent with an
explicit permission entry (755) for /usr/bin/ssh-agent.

When ssh-agent's matchwhitelist entry was commented out in commit
7a5f8b87af, permission-hardener began resetting it to restrictive
defaults (744), preventing non-root users from executing ssh-agent. This
broke split SSH functionality in Qubes OS for me because I was using
Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).

As noted in the comment, Debian installs with 2755 permissions as a way
to mitigate ptrace attacks, but this rationale doesn't apply due to
kernel.yama.ptrace_scope=2 being set in Kicksecure.
2025-05-20 18:04:46 -06:00
..
bin Don't handle files with multiple hardlinks 2025-01-21 21:49:03 -06:00
lib fix(permission-hardener): ssh-agent gets 755 perms 2025-05-20 18:04:46 -06:00
libexec/security-misc handle case of non-existence of /proc/cmdline 2025-05-18 06:44:42 -04:00
share output 2025-04-25 03:11:39 -04:00