diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
| commit | 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch) | |
| tree | c4fb7d1f51fa51e7677232de806aae150e29e2ac /debian/patches/user-group-modes.patch | |
| parent | f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff) | |
| parent | ecebda56da46a03dafff923d91c382f31faa9eec (diff) | |
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via
an AuthenticationMethods option (closes: #195716).
- Fix Sophie Germain formula in moduli(5) (closes: #698612).
- Update ssh-copy-id to Phil Hands' greatly revised version (closes:
#99785, #322228, #620428; LP: #518883, #835901, #1074798).
Diffstat (limited to 'debian/patches/user-group-modes.patch')
| -rw-r--r-- | debian/patches/user-group-modes.patch | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 1368ccb3c..ddedbf79a 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
| @@ -9,7 +9,7 @@ Description: Allow harmless group-writability | |||
| 9 | Author: Colin Watson <cjwatson@debian.org> | 9 | Author: Colin Watson <cjwatson@debian.org> |
| 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 |
| 11 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | 11 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
| 12 | Last-Update: 2010-02-27 | 12 | Last-Update: 2013-05-07 |
| 13 | 13 | ||
| 14 | Index: b/readconf.c | 14 | Index: b/readconf.c |
| 15 | =================================================================== | 15 | =================================================================== |
| @@ -38,7 +38,7 @@ Index: b/ssh.1 | |||
| 38 | =================================================================== | 38 | =================================================================== |
| 39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
| 40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
| 41 | @@ -1312,6 +1312,8 @@ | 41 | @@ -1320,6 +1320,8 @@ |
| 42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
| 43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
| 44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
| @@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
| 51 | =================================================================== | 51 | =================================================================== |
| 52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
| 53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
| 54 | @@ -1342,6 +1342,8 @@ | 54 | @@ -1356,6 +1356,8 @@ |
| 55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
| 56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
| 57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
| @@ -64,7 +64,7 @@ Index: b/auth.c | |||
| 64 | =================================================================== | 64 | =================================================================== |
| 65 | --- a/auth.c | 65 | --- a/auth.c |
| 66 | +++ b/auth.c | 66 | +++ b/auth.c |
| 67 | @@ -381,8 +381,7 @@ | 67 | @@ -386,8 +386,7 @@ |
| 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
| 69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
| 70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
| @@ -74,21 +74,21 @@ Index: b/auth.c | |||
| 74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
| 75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
| 76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
| 77 | @@ -443,8 +442,7 @@ | 77 | @@ -449,8 +448,7 @@ |
| 78 | 78 | snprintf(err, errlen, "%s is not a regular file", buf); | |
| 79 | /* check the open file to avoid races */ | 79 | return -1; |
| 80 | if (fstat(fileno(f), &st) < 0 || | 80 | } |
| 81 | - (st.st_uid != 0 && st.st_uid != uid) || | 81 | - if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || |
| 82 | - (st.st_mode & 022) != 0) { | 82 | - (stp->st_mode & 022) != 0) { |
| 83 | + !secure_permissions(&st, uid)) { | 83 | + if (!secure_permissions(stp, uid)) { |
| 84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
| 85 | buf); | 85 | buf); |
| 86 | return -1; | 86 | return -1; |
| 87 | @@ -459,8 +457,7 @@ | 87 | @@ -465,8 +463,7 @@ |
| 88 | strlcpy(buf, cp, sizeof(buf)); | 88 | strlcpy(buf, cp, sizeof(buf)); |
| 89 | 89 | ||
| 90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
| 91 | - (st.st_uid != 0 && st.st_uid != uid) || | 91 | - (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || |
| 92 | - (st.st_mode & 022) != 0) { | 92 | - (st.st_mode & 022) != 0) { |
| 93 | + !secure_permissions(&st, uid)) { | 93 | + !secure_permissions(&st, uid)) { |
| 94 | snprintf(err, errlen, | 94 | snprintf(err, errlen, |
| @@ -115,7 +115,7 @@ Index: b/misc.c | |||
| 115 | int | 115 | int |
| 116 | +secure_permissions(struct stat *st, uid_t uid) | 116 | +secure_permissions(struct stat *st, uid_t uid) |
| 117 | +{ | 117 | +{ |
| 118 | + if (st->st_uid != 0 && st->st_uid != uid) | 118 | + if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) |
| 119 | + return 0; | 119 | + return 0; |
| 120 | + if ((st->st_mode & 002) != 0) | 120 | + if ((st->st_mode & 002) != 0) |
| 121 | + return 0; | 121 | + return 0; |