commit 6c4914afccb0c188a2c412d12dfb1b73e362e07e
author Damien Miller <djm@mindrot.org> Wed Mar 03 11:08:59 2004 +1100
committer Damien Miller <djm@mindrot.org> Wed Mar 03 11:08:59 2004 +1100
tree 720ddd294683bd12f98f7b98c55830c5349ef2b0
parent ad4a188e46485656bbb650fd389203b6da438a24

 - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
   ok dtucker

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index d04b222..c093d37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20030303
+ - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
+   ok dtucker  
+
 20040229
  - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188
 
@@ -841,4 +845,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3271 2004/02/29 23:53:37 tim Exp $
+$Id: ChangeLog,v 1.3272 2004/03/03 00:08:59 djm Exp $

configure.ac

diff --git a/configure.ac b/configure.ac
index 7e22ad9..fc765b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.203 2004/02/29 23:53:37 tim Exp $
+# $Id: configure.ac,v 1.204 2004/03/03 00:08:59 djm Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -494,10 +494,10 @@
 	netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
 	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
-	sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \
-	sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
-	sys/un.h time.h tmpdir.h ttyent.h usersec.h \
-	util.h utime.h utmp.h utmpx.h vis.h)
+	sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
+	sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
+	sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \
+	ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
 
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
@@ -797,7 +797,7 @@
 	getpeereid _getpty getrlimit getttyent glob inet_aton \
 	inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
 	mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
-	pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
+	pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
 	setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
 	setproctitle setregid setreuid setrlimit \
 	setsid setvbuf sigaction sigvec snprintf socketpair strerror \

ssh-agent.c

diff --git a/ssh-agent.c b/ssh-agent.c
index e5232fc..f5fce6b 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -57,6 +57,10 @@
 #include "scard.h"
 #endif
 
+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
+#endif
+
 typedef enum {
 	AUTH_UNUSED,
 	AUTH_SOCKET,
@@ -1023,6 +1027,11 @@
 	setegid(getgid());
 	setgid(getgid());
 
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+	/* Disable ptrace on Linux without sgid bit */
+	prctl(PR_SET_DUMPABLE, 0);
+#endif
+
 	SSLeay_add_all_algorithms();
 
 	__progname = ssh_get_progname(av[0]);