summaryrefslogtreecommitdiff
path: root/auth-rhosts.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:09:58 +0000
committerColin Watson <cjwatson@debian.org>2015-08-19 17:09:56 +0100
commit209c51110996719eab04236d72f776eed6bd8226 (patch)
treea099dc0f9ea7c6740083d222e25be00ca79dea8b /auth-rhosts.c
parent1197fd975ab8fd11b1ac83557ef750129b16c0d8 (diff)
Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
Diffstat (limited to 'auth-rhosts.c')
-rw-r--r--auth-rhosts.c6
1 files changed, 2 insertions, 4 deletions
diff --git a/auth-rhosts.c b/auth-rhosts.c
index ee9e827af..2ff2cffa9 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -271,8 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
271 return 0; 271 return 0;
272 } 272 }
273 if (options.strict_modes && 273 if (options.strict_modes &&
274 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 274 !secure_permissions(&st, pw->pw_uid)) {
275 (st.st_mode & 022) != 0)) {
276 logit("Rhosts authentication refused for %.100s: " 275 logit("Rhosts authentication refused for %.100s: "
277 "bad ownership or modes for home directory.", pw->pw_name); 276 "bad ownership or modes for home directory.", pw->pw_name);
278 auth_debug_add("Rhosts authentication refused for %.100s: " 277 auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -298,8 +297,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
298 * allowing access to their account by anyone. 297 * allowing access to their account by anyone.
299 */ 298 */
300 if (options.strict_modes && 299 if (options.strict_modes &&
301 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 300 !secure_permissions(&st, pw->pw_uid)) {
302 (st.st_mode & 022) != 0)) {
303 logit("Rhosts authentication refused for %.100s: bad modes for %.200s", 301 logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
304 pw->pw_name, buf); 302 pw->pw_name, buf);
305 auth_debug_add("Bad file modes for %.200s", buf); 303 auth_debug_add("Bad file modes for %.200s", buf);