Trying to understand why ssh-agent has sgid bit and found this post ssh-agent has sgid
I have another question, why the group ownership of ssh-agent is nobody not root? What is the reason behind it? Will it still work if group ownership is root?
If it were setgid root then the agent would run as group root
, which likely has broader permissions than the user it started as. That could be a security risk; at the least, running something as root unnecessarily is a red flag (even the group) and requires extra attentiveness.
Setting the group ownership to nobody
, which is a group that shouldn't have any meaningful permissions or files attached, means that ssh-agent
doesn't get any more rights than the user started with. As the linked question says, the reason it's setgid in the first place is to prevent ptracing the program, rather than because it actually needs different permissions. In the discussion thread linked from the other question, one of the developers notes:
it would seem that the group is of no consequence. It's the fact that the binary is setgid anygroup that's important.
nobody
is a handy group to use when you only want a side effect of setgid, not the behaviour itself.
I imagine it would still work with setgid root. I just tried that here, and it didn't complain at all and seemed to work in cursory testing. That said, I can't think of any actual reason to change it to that - everyone seems to be better off with it running as group nobody
than group root
.
I don't suggest changing the permissions of files installed by your package manager, in any case, because they tend to get upset about any modifications to the files they control.
이 기사는 인터넷에서 수집됩니다. 재 인쇄 할 때 출처를 알려주십시오.
침해가 발생한 경우 연락 주시기 바랍니다[email protected] 삭제
몇 마디 만하겠습니다