- markus@cvs.openbsd.org 2001/09/23 11:09:13

     [authfile.c]
     relax permission check for private key files.

1 files changed, 10 insertions, 7 deletions

diff --git a/authfile.c b/authfile.c
index b4b985c95..cf2957dde 100644
--- a/authfile.c
+++ b/authfile.c
@@ -36,7 +36,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.37 2001/06/23 15:12:17 itojun Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.38 2001/09/23 11:09:13 markus Exp $");
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -486,18 +486,21 @@ key_perm_ok(int fd, const char *filename)
 {
         struct stat st;
 
-        /* check owner and modes */
+        if (fstat(fd, &st) < 0)
+                return 0;
+        /*
+         * if a key owned by the user is accessed, then we check the
+         * permissions of the file. if the key owned by a different user,
+         * then we don't care.
+         */
 #ifdef HAVE_CYGWIN
         if (check_ntsec(filename))
 #endif
-        if (fstat(fd, &st) < 0 ||
-            (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) ||
-            (st.st_mode & 077) != 0) {
-                close(fd);
+        if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
                 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                 error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
                 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-                error("Bad ownership or mode(0%3.3o) for '%s'.",
+                error("Permissions 0%3.3o for '%s' are too open.",
                     st.st_mode & 0777, filename);
                 error("It is recommended that your private key files are NOT accessible by others.");
                 error("This private key will be ignored.");