You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The WSL2 setup instructions include a script that creates the socket on a fixes path in a world writeable location using the default umask. As such it ends up with the socket being world readable and in a fixed location. I know in most cases WSL is used as a single user system so this is probably not as big a security issue as it would be in a normal linux system but still seems like a bit of a flaw.
It would probably be better to use mktemp to create a directory with a random name and secure permission like the standard openssh ssh-agent does. Something like:
export SSH_AUTH_SOCK=$(ps ux | grep "[S]OCKET-CONNECT:40:0:x0000x33332222x02000000x00000000" | sed -e "s/.* UNIX-LISTEN:\(.\+\),fork SOCKET.*/\1/")
if [ -z "${SSH_AUTH_SOCK}" ]; then
export SSH_AUTH_SOCK=$(mktemp -d -t winssh-XXXXXXXXXX)/wincrypt-hv.sock
(setsid -f nohup socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork SOCKET-CONNECT:40:0:x0000x33332222x02000000x00000000 >/dev/null 2>&1)
fi
The text was updated successfully, but these errors were encountered:
The WSL2 setup instructions include a script that creates the socket on a fixes path in a world writeable location using the default umask. As such it ends up with the socket being world readable and in a fixed location. I know in most cases WSL is used as a single user system so this is probably not as big a security issue as it would be in a normal linux system but still seems like a bit of a flaw.
It would probably be better to use mktemp to create a directory with a random name and secure permission like the standard openssh ssh-agent does. Something like:
The text was updated successfully, but these errors were encountered: