Initialize git-dpm

author: Colin Watson <cjwatson@debian.org> 2014-02-09 16:10:19 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 16:25:52 +0000
commit: d26565af8589d88f824b26f31da493f1056efcf4 (patch)
tree: ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/user-group-modes.patch
parent: 16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff)
parent: bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff)
1 files changed, 111 insertions, 95 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index ac00edac6..9382d5086 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,70 +1,61 @@
-Description: Allow harmless group-writability
+From 7016a7e8a6b854833132db253fd5e392984bd4ea Mon Sep 17 00:00:00 2001
- Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
+From: Colin Watson <cjwatson@debian.org>
- group-writable, provided that the group in question contains only the
+Date: Sun, 9 Feb 2014 16:09:58 +0000
- file's owner.  Rejected upstream for IMO incorrect reasons (e.g. a
+Subject: Allow harmless group-writability
- misunderstanding about the contents of gr->gr_mem).  Given that
- per-user groups and umask 002 are the default setup in Debian (for good
+Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
- reasons - this makes operating in setgid directories with other groups
+group-writable, provided that the group in question contains only the file's
- much easier), we need to permit this by default.
+owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
-Author: Colin Watson <cjwatson@debian.org>
+about the contents of gr->gr_mem).  Given that per-user groups and umask 002
+are the default setup in Debian (for good reasons - this makes operating in
+setgid directories with other groups much easier), we need to permit this by
+default.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
 Last-Update: 2013-09-14
-Index: b/readconf.c
+Patch-Name: user-group-modes.patch
-===================================================================
+---
--- a/readconf.c
+ auth-rhosts.c |  6 ++----
-+++ b/readconf.c
+ auth.c        |  9 +++-----
-@@ -30,6 +30,8 @@
+ misc.c        | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- #include <stdio.h>
+ misc.h        |  2 ++
- #include <string.h>
+ platform.c    | 16 --------------
- #include <unistd.h>
+ readconf.c    |  5 +++--
-+#include <pwd.h>
+ ssh.1         |  2 ++
-+#include <grp.h>
+ ssh_config.5  |  2 ++
- #ifdef HAVE_UTIL_H
+ 8 files changed, 82 insertions(+), 29 deletions(-)
- #include <util.h>
- #endif
+diff --git a/auth-rhosts.c b/auth-rhosts.c
-@@ -1160,8 +1162,7 @@
+index 06ae7f0..f202787 100644
- 
+--- a/auth-rhosts.c
-                if (fstat(fileno(f), &sb) == -1)
+++ b/auth-rhosts.c
-                        fatal("fstat %s: %s", filename, strerror(errno));
+@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
-               if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+                return 0;
-                   (sb.st_mode & 022) != 0))
-+               if (!secure_permissions(&sb, getuid()))
-                        fatal("Bad owner or permissions on %s", filename);
        }
- 
+        if (options.strict_modes &&
-Index: b/ssh.1
+-           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-===================================================================
+-           (st.st_mode & 022) != 0)) {
--- a/ssh.1
+           !secure_permissions(&st, pw->pw_uid)) {
-+++ b/ssh.1
+                logit("Rhosts authentication refused for %.100s: "
-@@ -1338,6 +1338,8 @@
+                    "bad ownership or modes for home directory.", pw->pw_name);
- .Xr ssh_config 5 .
+                auth_debug_add("Rhosts authentication refused for %.100s: "
- Because of the potential for abuse, this file must have strict permissions:
+@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
- read/write for the user, and not writable by others.
+                 * allowing access to their account by anyone.
-+It may be group-writable provided that the group in question contains only
+                 */
-+the user.
+                if (options.strict_modes &&
- .Pp
+-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- .It Pa ~/.ssh/environment
+-                   (st.st_mode & 022) != 0)) {
- Contains additional definitions for environment variables; see
+                   !secure_permissions(&st, pw->pw_uid)) {
-Index: b/ssh_config.5
+                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-===================================================================
+                            pw->pw_name, buf);
--- a/ssh_config.5
+                        auth_debug_add("Bad file modes for %.200s", buf);
-+++ b/ssh_config.5
+diff --git a/auth.c b/auth.c
-@@ -1382,6 +1382,8 @@
+index 6662e9a..7f6c6c8 100644
- This file is used by the SSH client.
- Because of the potential for abuse, this file must have strict permissions:
- read/write for the user, and not accessible by others.
-+It may be group-writable provided that the group in question contains only
-+the user.
- .It Pa /etc/ssh/ssh_config
- Systemwide configuration file.
- This file provides defaults for those
-Index: b/auth.c
-===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -408,8 +408,7 @@
+@@ -408,8 +408,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                if (options.strict_modes &&
                    (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +65,7 @@ Index: b/auth.c
                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
-@@ -471,8 +470,7 @@
+@@ -471,8 +470,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                snprintf(err, errlen, "%s is not a regular file", buf);
                return -1;
        }
@@ -84,7 +75,7 @@ Index: b/auth.c
                snprintf(err, errlen, "bad ownership or modes for file %s",
                    buf);
                return -1;
-@@ -487,8 +485,7 @@
+@@ -487,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                strlcpy(buf, cp, sizeof(buf));
 
                if (stat(buf, &st) < 0 ||
@@ -94,8 +85,8 @@ Index: b/auth.c
                        snprintf(err, errlen,
                            "bad ownership or modes for directory %s", buf);
                        return -1;
-Index: b/misc.c
+diff --git a/misc.c b/misc.c
-===================================================================
+index c3c8099..eb57bfc 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -48,8 +48,9 @@
@@ -117,7 +108,7 @@ Index: b/misc.c
 
 /* remove newline at end of string */
 char *
-@@ -642,6 +644,71 @@
+@@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
        return -1;
 }
 
@@ -189,46 +180,22 @@ Index: b/misc.c
 int
 tun_open(int tun, int mode)
 {
-Index: b/misc.h
+diff --git a/misc.h b/misc.h
-===================================================================
+index fceb306..51ba182 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -104,4 +104,6 @@
+@@ -104,4 +104,6 @@ char        *read_passphrase(const char *, int);
 int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
 
 +int     secure_permissions(struct stat *st, uid_t uid);
 +
 #endif /* _MISC_H */
-Index: b/auth-rhosts.c
+diff --git a/platform.c b/platform.c
-===================================================================
+index a962f15..0b3bee1 100644
--- a/auth-rhosts.c
-+++ b/auth-rhosts.c
-@@ -256,8 +256,7 @@
-                return 0;
-        }
-        if (options.strict_modes &&
-           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-           (st.st_mode & 022) != 0)) {
-+           !secure_permissions(&st, pw->pw_uid)) {
-                logit("Rhosts authentication refused for %.100s: "
-                    "bad ownership or modes for home directory.", pw->pw_name);
-                auth_debug_add("Rhosts authentication refused for %.100s: "
-@@ -283,8 +282,7 @@
-                 * allowing access to their account by anyone.
-                 */
-                if (options.strict_modes &&
-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-                   (st.st_mode & 022) != 0)) {
-+                   !secure_permissions(&st, pw->pw_uid)) {
-                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-                            pw->pw_name, buf);
-                        auth_debug_add("Bad file modes for %.200s", buf);
-Index: b/platform.c
-===================================================================
 --- a/platform.c
 +++ b/platform.c
-@@ -194,19 +194,3 @@
+@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name)
        return NULL;
 #endif
 }
@@ -248,3 +215,52 @@ Index: b/platform.c
 -#endif
 -       return 0;
 -}
+diff --git a/readconf.c b/readconf.c
+index 2dcbf31..389de7d 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -30,6 +30,8 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
+@@ -1160,8 +1162,7 @@ read_config_file(const char *filename, const char *host, Options *options,
+ 
+                if (fstat(fileno(f), &sb) == -1)
+                        fatal("fstat %s: %s", filename, strerror(errno));
+-               if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+-                   (sb.st_mode & 022) != 0))
+               if (!secure_permissions(&sb, getuid()))
+                        fatal("Bad owner or permissions on %s", filename);
+        }
+ 
+diff --git a/ssh.1 b/ssh.1
+index 66a7007..0b38ae1 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -1338,6 +1338,8 @@ The file format and configuration options are described in
+ .Xr ssh_config 5 .
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
+ .Pp
+ .It Pa ~/.ssh/environment
+ Contains additional definitions for environment variables; see
+diff --git a/ssh_config.5 b/ssh_config.5
+index 135d833..1497cfc 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -1382,6 +1382,8 @@ The format of this file is described above.
+ This file is used by the SSH client.
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not accessible by others.
+It may be group-writable provided that the group in question contains only
+the user.
+ .It Pa /etc/ssh/ssh_config
+ Systemwide configuration file.
+ This file provides defaults for those
author	Colin Watson <cjwatson@debian.org>	2014-02-09 16:10:19 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 16:25:52 +0000
commit	d26565af8589d88f824b26f31da493f1056efcf4 (patch)
tree	ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/user-group-modes.patch
parent	16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff)
parent	bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff)

diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index ac00edac6..9382d5086 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch
@@ -1,70 +1,61 @@
1	Description: Allow harmless group-writability	1	From 7016a7e8a6b854833132db253fd5e392984bd4ea Mon Sep 17 00:00:00 2001
2	Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be	2	From: Colin Watson <cjwatson@debian.org>
3	group-writable, provided that the group in question contains only the	3	Date: Sun, 9 Feb 2014 16:09:58 +0000
4	file's owner. Rejected upstream for IMO incorrect reasons (e.g. a	4	Subject: Allow harmless group-writability
5	misunderstanding about the contents of gr->gr_mem). Given that	5
6	per-user groups and umask 002 are the default setup in Debian (for good	6	Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
7	reasons - this makes operating in setgid directories with other groups	7	group-writable, provided that the group in question contains only the file's
8	much easier), we need to permit this by default.	8	owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
9	Author: Colin Watson <cjwatson@debian.org>	9	about the contents of gr->gr_mem). Given that per-user groups and umask 002
		10	are the default setup in Debian (for good reasons - this makes operating in
		11	setgid directories with other groups much easier), we need to permit this by
		12	default.
		13
10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060	14	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347	15	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12	Last-Update: 2013-09-14	16	Last-Update: 2013-09-14
13		17
14	Index: b/readconf.c	18	Patch-Name: user-group-modes.patch
15	===================================================================	19	---
16	--- a/readconf.c	20	auth-rhosts.c \| 6 ++----
17	+++ b/readconf.c	21	auth.c \| 9 +++-----
18	@@ -30,6 +30,8 @@	22	misc.c \| 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
19	#include <stdio.h>	23	misc.h \| 2 ++
20	#include <string.h>	24	platform.c \| 16 --------------
21	#include <unistd.h>	25	readconf.c \| 5 +++--
22	+#include <pwd.h>	26	ssh.1 \| 2 ++
23	+#include <grp.h>	27	ssh_config.5 \| 2 ++
24	#ifdef HAVE_UTIL_H	28	8 files changed, 82 insertions(+), 29 deletions(-)
25	#include <util.h>	29
26	#endif	30	diff --git a/auth-rhosts.c b/auth-rhosts.c
27	@@ -1160,8 +1162,7 @@	31	index 06ae7f0..f202787 100644
28		32	--- a/auth-rhosts.c
29	if (fstat(fileno(f), &sb) == -1)	33	+++ b/auth-rhosts.c
30	fatal("fstat %s: %s", filename, strerror(errno));	34	@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd pw, const char client_user, const char *hostnam
31	- if (((sb.st_uid != 0 && sb.st_uid != getuid()) \|\|	35	return 0;
32	- (sb.st_mode & 022) != 0))
33	+ if (!secure_permissions(&sb, getuid()))
34	fatal("Bad owner or permissions on %s", filename);
35	}	36	}
36		37	if (options.strict_modes &&
37	Index: b/ssh.1	38	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
38	===================================================================	39	- (st.st_mode & 022) != 0)) {
39	--- a/ssh.1	40	+ !secure_permissions(&st, pw->pw_uid)) {
40	+++ b/ssh.1	41	logit("Rhosts authentication refused for %.100s: "
41	@@ -1338,6 +1338,8 @@	42	"bad ownership or modes for home directory.", pw->pw_name);
42	.Xr ssh_config 5 .	43	auth_debug_add("Rhosts authentication refused for %.100s: "
43	Because of the potential for abuse, this file must have strict permissions:	44	@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd pw, const char client_user, const char *hostnam
44	read/write for the user, and not writable by others.	45	* allowing access to their account by anyone.
45	+It may be group-writable provided that the group in question contains only	46	*/
46	+the user.	47	if (options.strict_modes &&
47	.Pp	48	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
48	.It Pa ~/.ssh/environment	49	- (st.st_mode & 022) != 0)) {
49	Contains additional definitions for environment variables; see	50	+ !secure_permissions(&st, pw->pw_uid)) {
50	Index: b/ssh_config.5	51	logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
51	===================================================================	52	pw->pw_name, buf);
52	--- a/ssh_config.5	53	auth_debug_add("Bad file modes for %.200s", buf);
53	+++ b/ssh_config.5	54	diff --git a/auth.c b/auth.c
54	@@ -1382,6 +1382,8 @@	55	index 6662e9a..7f6c6c8 100644
55	This file is used by the SSH client.
56	Because of the potential for abuse, this file must have strict permissions:
57	read/write for the user, and not accessible by others.
58	+It may be group-writable provided that the group in question contains only
59	+the user.
60	.It Pa /etc/ssh/ssh_config
61	Systemwide configuration file.
62	This file provides defaults for those
63	Index: b/auth.c
64	===================================================================
65	--- a/auth.c	56	--- a/auth.c
66	+++ b/auth.c	57	+++ b/auth.c
67	@@ -408,8 +408,7 @@	58	@@ -408,8 +408,7 @@ check_key_in_hostfiles(struct passwd pw, Key key, const char *host,
68	user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);	59	user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69	if (options.strict_modes &&	60	if (options.strict_modes &&
70	(stat(user_hostfile, &st) == 0) &&	61	(stat(user_hostfile, &st) == 0) &&
@@ -74,7 +65,7 @@ Index: b/auth.c
74	logit("Authentication refused for %.100s: "	65	logit("Authentication refused for %.100s: "
75	"bad owner or modes for %.200s",	66	"bad owner or modes for %.200s",
76	pw->pw_name, user_hostfile);	67	pw->pw_name, user_hostfile);
77	@@ -471,8 +470,7 @@	68	@@ -471,8 +470,7 @@ auth_secure_path(const char name, struct stat stp, const char *pw_dir,
78	snprintf(err, errlen, "%s is not a regular file", buf);	69	snprintf(err, errlen, "%s is not a regular file", buf);
79	return -1;	70	return -1;
80	}	71	}
@@ -84,7 +75,7 @@ Index: b/auth.c
84	snprintf(err, errlen, "bad ownership or modes for file %s",	75	snprintf(err, errlen, "bad ownership or modes for file %s",
85	buf);	76	buf);
86	return -1;	77	return -1;
87	@@ -487,8 +485,7 @@	78	@@ -487,8 +485,7 @@ auth_secure_path(const char name, struct stat stp, const char *pw_dir,
88	strlcpy(buf, cp, sizeof(buf));	79	strlcpy(buf, cp, sizeof(buf));
89		80
90	if (stat(buf, &st) < 0 \|\|	81	if (stat(buf, &st) < 0 \|\|
@@ -94,8 +85,8 @@ Index: b/auth.c
94	snprintf(err, errlen,	85	snprintf(err, errlen,
95	"bad ownership or modes for directory %s", buf);	86	"bad ownership or modes for directory %s", buf);
96	return -1;	87	return -1;
97	Index: b/misc.c	88	diff --git a/misc.c b/misc.c
98	===================================================================	89	index c3c8099..eb57bfc 100644
99	--- a/misc.c	90	--- a/misc.c
100	+++ b/misc.c	91	+++ b/misc.c
101	@@ -48,8 +48,9 @@	92	@@ -48,8 +48,9 @@
@@ -117,7 +108,7 @@ Index: b/misc.c
117		108
118	/* remove newline at end of string */	109	/* remove newline at end of string */
119	char *	110	char *
120	@@ -642,6 +644,71 @@	111	@@ -642,6 +644,71 @@ read_keyfile_line(FILE f, const char filename, char *buf, size_t bufsz,
121	return -1;	112	return -1;
122	}	113	}
123		114
@@ -189,46 +180,22 @@ Index: b/misc.c
189	int	180	int
190	tun_open(int tun, int mode)	181	tun_open(int tun, int mode)
191	{	182	{
192	Index: b/misc.h	183	diff --git a/misc.h b/misc.h
193	===================================================================	184	index fceb306..51ba182 100644
194	--- a/misc.h	185	--- a/misc.h
195	+++ b/misc.h	186	+++ b/misc.h
196	@@ -104,4 +104,6 @@	187	@@ -104,4 +104,6 @@ char read_passphrase(const char , int);
197	int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));	188	int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
198	int read_keyfile_line(FILE , const char , char , size_t, u_long );	189	int read_keyfile_line(FILE , const char , char , size_t, u_long );
199		190
200	+int secure_permissions(struct stat *st, uid_t uid);	191	+int secure_permissions(struct stat *st, uid_t uid);
201	+	192	+
202	#endif /* _MISC_H */	193	#endif /* _MISC_H */
203	Index: b/auth-rhosts.c	194	diff --git a/platform.c b/platform.c
204	===================================================================	195	index a962f15..0b3bee1 100644
205	--- a/auth-rhosts.c
206	+++ b/auth-rhosts.c
207	@@ -256,8 +256,7 @@
208	return 0;
209	}
210	if (options.strict_modes &&
211	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
212	- (st.st_mode & 022) != 0)) {
213	+ !secure_permissions(&st, pw->pw_uid)) {
214	logit("Rhosts authentication refused for %.100s: "
215	"bad ownership or modes for home directory.", pw->pw_name);
216	auth_debug_add("Rhosts authentication refused for %.100s: "
217	@@ -283,8 +282,7 @@
218	* allowing access to their account by anyone.
219	*/
220	if (options.strict_modes &&
221	- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
222	- (st.st_mode & 022) != 0)) {
223	+ !secure_permissions(&st, pw->pw_uid)) {
224	logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
225	pw->pw_name, buf);
226	auth_debug_add("Bad file modes for %.200s", buf);
227	Index: b/platform.c
228	===================================================================
229	--- a/platform.c	196	--- a/platform.c
230	+++ b/platform.c	197	+++ b/platform.c
231	@@ -194,19 +194,3 @@	198	@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name)
232	return NULL;	199	return NULL;
233	#endif	200	#endif
234	}	201	}
@@ -248,3 +215,52 @@ Index: b/platform.c
248	-#endif	215	-#endif
249	- return 0;	216	- return 0;
250	-}	217	-}
		218	diff --git a/readconf.c b/readconf.c
		219	index 2dcbf31..389de7d 100644
		220	--- a/readconf.c
		221	+++ b/readconf.c
		222	@@ -30,6 +30,8 @@
		223	#include <stdio.h>
		224	#include <string.h>
		225	#include <unistd.h>
		226	+#include <pwd.h>
		227	+#include <grp.h>
		228	#ifdef HAVE_UTIL_H
		229	#include <util.h>
		230	#endif
		231	@@ -1160,8 +1162,7 @@ read_config_file(const char filename, const char host, Options *options,
		232
		233	if (fstat(fileno(f), &sb) == -1)
		234	fatal("fstat %s: %s", filename, strerror(errno));
		235	- if (((sb.st_uid != 0 && sb.st_uid != getuid()) \|\|
		236	- (sb.st_mode & 022) != 0))
		237	+ if (!secure_permissions(&sb, getuid()))
		238	fatal("Bad owner or permissions on %s", filename);
		239	}
		240
		241	diff --git a/ssh.1 b/ssh.1
		242	index 66a7007..0b38ae1 100644
		243	--- a/ssh.1
		244	+++ b/ssh.1
		245	@@ -1338,6 +1338,8 @@ The file format and configuration options are described in
		246	.Xr ssh_config 5 .
		247	Because of the potential for abuse, this file must have strict permissions:
		248	read/write for the user, and not writable by others.
		249	+It may be group-writable provided that the group in question contains only
		250	+the user.
		251	.Pp
		252	.It Pa ~/.ssh/environment
		253	Contains additional definitions for environment variables; see
		254	diff --git a/ssh_config.5 b/ssh_config.5
		255	index 135d833..1497cfc 100644
		256	--- a/ssh_config.5
		257	+++ b/ssh_config.5
		258	@@ -1382,6 +1382,8 @@ The format of this file is described above.
		259	This file is used by the SSH client.
		260	Because of the potential for abuse, this file must have strict permissions:
		261	read/write for the user, and not accessible by others.
		262	+It may be group-writable provided that the group in question contains only
		263	+the user.
		264	.It Pa /etc/ssh/ssh_config
		265	Systemwide configuration file.
		266	This file provides defaults for those