From e64dd96786723ced9c3b11a24b591135330e28da Mon Sep 17 00:00:00 2001 From: Xu Cheng Date: Sat, 25 Jun 2016 18:26:31 +0800 Subject: [PATCH] ssh-agent: set umask 0077 for ssh-agent sock file This is specially important for ssh-agent forwarding. Otherwise, other users in the host can use this socket in malicious way. Also update SSH_AUTH_SOCK to symlink for ssh forwarding with tmux/screen. --- plugins/ssh-agent/ssh-agent.plugin.zsh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/ssh-agent/ssh-agent.plugin.zsh b/plugins/ssh-agent/ssh-agent.plugin.zsh index 610ad34dc..79ce1df88 100644 --- a/plugins/ssh-agent/ssh-agent.plugin.zsh +++ b/plugins/ssh-agent/ssh-agent.plugin.zsh @@ -37,7 +37,7 @@ function _plugin__start_agent() zstyle -s :omz:plugins:ssh-agent lifetime lifetime # start ssh-agent and setup environment - /usr/bin/env ssh-agent ${lifetime:+-t} ${lifetime} | sed 's/^echo/#echo/' > ${_plugin__ssh_env} + (umask 0077; /usr/bin/env ssh-agent ${lifetime:+-t} ${lifetime} | sed 's/^echo/#echo/' > ${_plugin__ssh_env}) chmod 600 ${_plugin__ssh_env} . ${_plugin__ssh_env} > /dev/null @@ -60,7 +60,10 @@ fi zstyle -b :omz:plugins:ssh-agent agent-forwarding _plugin__forwarding if [[ ${_plugin__forwarding} == "yes" && -n "$SSH_AUTH_SOCK" ]]; then # Add a nifty symlink for screen/tmux if agent forwarding - [[ -L $SSH_AUTH_SOCK ]] || ln -sf "$SSH_AUTH_SOCK" /tmp/ssh-agent-$USER-screen + if [[ ! -L $SSH_AUTH_SOCK ]]; then + (umask 0077; ln -sf "$SSH_AUTH_SOCK" /tmp/ssh-agent-$USER-screen) + export SSH_AUTH_SOCK="/tmp/ssh-agent-$USER-screen" + fi elif [ -f "${_plugin__ssh_env}" ]; then # Source SSH settings, if applicable