diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:19 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:25:52 +0000 |
commit | d26565af8589d88f824b26f31da493f1056efcf4 (patch) | |
tree | ff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches/user-group-modes.patch | |
parent | 16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff) | |
parent | bb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff) |
Initialize git-dpm
Diffstat (limited to 'debian/patches/user-group-modes.patch')
-rw-r--r-- | debian/patches/user-group-modes.patch | 206 |
1 files changed, 111 insertions, 95 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index ac00edac6..9382d5086 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,70 +1,61 @@ | |||
1 | Description: Allow harmless group-writability | 1 | From 7016a7e8a6b854833132db253fd5e392984bd4ea Mon Sep 17 00:00:00 2001 |
2 | Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | group-writable, provided that the group in question contains only the | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | file's owner. Rejected upstream for IMO incorrect reasons (e.g. a | 4 | Subject: Allow harmless group-writability |
5 | misunderstanding about the contents of gr->gr_mem). Given that | 5 | |
6 | per-user groups and umask 002 are the default setup in Debian (for good | 6 | Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be |
7 | reasons - this makes operating in setgid directories with other groups | 7 | group-writable, provided that the group in question contains only the file's |
8 | much easier), we need to permit this by default. | 8 | owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding |
9 | Author: Colin Watson <cjwatson@debian.org> | 9 | about the contents of gr->gr_mem). Given that per-user groups and umask 002 |
10 | are the default setup in Debian (for good reasons - this makes operating in | ||
11 | setgid directories with other groups much easier), we need to permit this by | ||
12 | default. | ||
13 | |||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | 14 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 |
11 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | 15 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
12 | Last-Update: 2013-09-14 | 16 | Last-Update: 2013-09-14 |
13 | 17 | ||
14 | Index: b/readconf.c | 18 | Patch-Name: user-group-modes.patch |
15 | =================================================================== | 19 | --- |
16 | --- a/readconf.c | 20 | auth-rhosts.c | 6 ++---- |
17 | +++ b/readconf.c | 21 | auth.c | 9 +++----- |
18 | @@ -30,6 +30,8 @@ | 22 | misc.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- |
19 | #include <stdio.h> | 23 | misc.h | 2 ++ |
20 | #include <string.h> | 24 | platform.c | 16 -------------- |
21 | #include <unistd.h> | 25 | readconf.c | 5 +++-- |
22 | +#include <pwd.h> | 26 | ssh.1 | 2 ++ |
23 | +#include <grp.h> | 27 | ssh_config.5 | 2 ++ |
24 | #ifdef HAVE_UTIL_H | 28 | 8 files changed, 82 insertions(+), 29 deletions(-) |
25 | #include <util.h> | 29 | |
26 | #endif | 30 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
27 | @@ -1160,8 +1162,7 @@ | 31 | index 06ae7f0..f202787 100644 |
28 | 32 | --- a/auth-rhosts.c | |
29 | if (fstat(fileno(f), &sb) == -1) | 33 | +++ b/auth-rhosts.c |
30 | fatal("fstat %s: %s", filename, strerror(errno)); | 34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
31 | - if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | 35 | return 0; |
32 | - (sb.st_mode & 022) != 0)) | ||
33 | + if (!secure_permissions(&sb, getuid())) | ||
34 | fatal("Bad owner or permissions on %s", filename); | ||
35 | } | 36 | } |
36 | 37 | if (options.strict_modes && | |
37 | Index: b/ssh.1 | 38 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
38 | =================================================================== | 39 | - (st.st_mode & 022) != 0)) { |
39 | --- a/ssh.1 | 40 | + !secure_permissions(&st, pw->pw_uid)) { |
40 | +++ b/ssh.1 | 41 | logit("Rhosts authentication refused for %.100s: " |
41 | @@ -1338,6 +1338,8 @@ | 42 | "bad ownership or modes for home directory.", pw->pw_name); |
42 | .Xr ssh_config 5 . | 43 | auth_debug_add("Rhosts authentication refused for %.100s: " |
43 | Because of the potential for abuse, this file must have strict permissions: | 44 | @@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
44 | read/write for the user, and not writable by others. | 45 | * allowing access to their account by anyone. |
45 | +It may be group-writable provided that the group in question contains only | 46 | */ |
46 | +the user. | 47 | if (options.strict_modes && |
47 | .Pp | 48 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
48 | .It Pa ~/.ssh/environment | 49 | - (st.st_mode & 022) != 0)) { |
49 | Contains additional definitions for environment variables; see | 50 | + !secure_permissions(&st, pw->pw_uid)) { |
50 | Index: b/ssh_config.5 | 51 | logit("Rhosts authentication refused for %.100s: bad modes for %.200s", |
51 | =================================================================== | 52 | pw->pw_name, buf); |
52 | --- a/ssh_config.5 | 53 | auth_debug_add("Bad file modes for %.200s", buf); |
53 | +++ b/ssh_config.5 | 54 | diff --git a/auth.c b/auth.c |
54 | @@ -1382,6 +1382,8 @@ | 55 | index 6662e9a..7f6c6c8 100644 |
55 | This file is used by the SSH client. | ||
56 | Because of the potential for abuse, this file must have strict permissions: | ||
57 | read/write for the user, and not accessible by others. | ||
58 | +It may be group-writable provided that the group in question contains only | ||
59 | +the user. | ||
60 | .It Pa /etc/ssh/ssh_config | ||
61 | Systemwide configuration file. | ||
62 | This file provides defaults for those | ||
63 | Index: b/auth.c | ||
64 | =================================================================== | ||
65 | --- a/auth.c | 56 | --- a/auth.c |
66 | +++ b/auth.c | 57 | +++ b/auth.c |
67 | @@ -408,8 +408,7 @@ | 58 | @@ -408,8 +408,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 60 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 61 | (stat(user_hostfile, &st) == 0) && |
@@ -74,7 +65,7 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 65 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 66 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 67 | pw->pw_name, user_hostfile); |
77 | @@ -471,8 +470,7 @@ | 68 | @@ -471,8 +470,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
78 | snprintf(err, errlen, "%s is not a regular file", buf); | 69 | snprintf(err, errlen, "%s is not a regular file", buf); |
79 | return -1; | 70 | return -1; |
80 | } | 71 | } |
@@ -84,7 +75,7 @@ Index: b/auth.c | |||
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 75 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 76 | buf); |
86 | return -1; | 77 | return -1; |
87 | @@ -487,8 +485,7 @@ | 78 | @@ -487,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
88 | strlcpy(buf, cp, sizeof(buf)); | 79 | strlcpy(buf, cp, sizeof(buf)); |
89 | 80 | ||
90 | if (stat(buf, &st) < 0 || | 81 | if (stat(buf, &st) < 0 || |
@@ -94,8 +85,8 @@ Index: b/auth.c | |||
94 | snprintf(err, errlen, | 85 | snprintf(err, errlen, |
95 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
96 | return -1; | 87 | return -1; |
97 | Index: b/misc.c | 88 | diff --git a/misc.c b/misc.c |
98 | =================================================================== | 89 | index c3c8099..eb57bfc 100644 |
99 | --- a/misc.c | 90 | --- a/misc.c |
100 | +++ b/misc.c | 91 | +++ b/misc.c |
101 | @@ -48,8 +48,9 @@ | 92 | @@ -48,8 +48,9 @@ |
@@ -117,7 +108,7 @@ Index: b/misc.c | |||
117 | 108 | ||
118 | /* remove newline at end of string */ | 109 | /* remove newline at end of string */ |
119 | char * | 110 | char * |
120 | @@ -642,6 +644,71 @@ | 111 | @@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, |
121 | return -1; | 112 | return -1; |
122 | } | 113 | } |
123 | 114 | ||
@@ -189,46 +180,22 @@ Index: b/misc.c | |||
189 | int | 180 | int |
190 | tun_open(int tun, int mode) | 181 | tun_open(int tun, int mode) |
191 | { | 182 | { |
192 | Index: b/misc.h | 183 | diff --git a/misc.h b/misc.h |
193 | =================================================================== | 184 | index fceb306..51ba182 100644 |
194 | --- a/misc.h | 185 | --- a/misc.h |
195 | +++ b/misc.h | 186 | +++ b/misc.h |
196 | @@ -104,4 +104,6 @@ | 187 | @@ -104,4 +104,6 @@ char *read_passphrase(const char *, int); |
197 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
198 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
199 | 190 | ||
200 | +int secure_permissions(struct stat *st, uid_t uid); | 191 | +int secure_permissions(struct stat *st, uid_t uid); |
201 | + | 192 | + |
202 | #endif /* _MISC_H */ | 193 | #endif /* _MISC_H */ |
203 | Index: b/auth-rhosts.c | 194 | diff --git a/platform.c b/platform.c |
204 | =================================================================== | 195 | index a962f15..0b3bee1 100644 |
205 | --- a/auth-rhosts.c | ||
206 | +++ b/auth-rhosts.c | ||
207 | @@ -256,8 +256,7 @@ | ||
208 | return 0; | ||
209 | } | ||
210 | if (options.strict_modes && | ||
211 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
212 | - (st.st_mode & 022) != 0)) { | ||
213 | + !secure_permissions(&st, pw->pw_uid)) { | ||
214 | logit("Rhosts authentication refused for %.100s: " | ||
215 | "bad ownership or modes for home directory.", pw->pw_name); | ||
216 | auth_debug_add("Rhosts authentication refused for %.100s: " | ||
217 | @@ -283,8 +282,7 @@ | ||
218 | * allowing access to their account by anyone. | ||
219 | */ | ||
220 | if (options.strict_modes && | ||
221 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
222 | - (st.st_mode & 022) != 0)) { | ||
223 | + !secure_permissions(&st, pw->pw_uid)) { | ||
224 | logit("Rhosts authentication refused for %.100s: bad modes for %.200s", | ||
225 | pw->pw_name, buf); | ||
226 | auth_debug_add("Bad file modes for %.200s", buf); | ||
227 | Index: b/platform.c | ||
228 | =================================================================== | ||
229 | --- a/platform.c | 196 | --- a/platform.c |
230 | +++ b/platform.c | 197 | +++ b/platform.c |
231 | @@ -194,19 +194,3 @@ | 198 | @@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name) |
232 | return NULL; | 199 | return NULL; |
233 | #endif | 200 | #endif |
234 | } | 201 | } |
@@ -248,3 +215,52 @@ Index: b/platform.c | |||
248 | -#endif | 215 | -#endif |
249 | - return 0; | 216 | - return 0; |
250 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | ||
219 | index 2dcbf31..389de7d 100644 | ||
220 | --- a/readconf.c | ||
221 | +++ b/readconf.c | ||
222 | @@ -30,6 +30,8 @@ | ||
223 | #include <stdio.h> | ||
224 | #include <string.h> | ||
225 | #include <unistd.h> | ||
226 | +#include <pwd.h> | ||
227 | +#include <grp.h> | ||
228 | #ifdef HAVE_UTIL_H | ||
229 | #include <util.h> | ||
230 | #endif | ||
231 | @@ -1160,8 +1162,7 @@ read_config_file(const char *filename, const char *host, Options *options, | ||
232 | |||
233 | if (fstat(fileno(f), &sb) == -1) | ||
234 | fatal("fstat %s: %s", filename, strerror(errno)); | ||
235 | - if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | ||
236 | - (sb.st_mode & 022) != 0)) | ||
237 | + if (!secure_permissions(&sb, getuid())) | ||
238 | fatal("Bad owner or permissions on %s", filename); | ||
239 | } | ||
240 | |||
241 | diff --git a/ssh.1 b/ssh.1 | ||
242 | index 66a7007..0b38ae1 100644 | ||
243 | --- a/ssh.1 | ||
244 | +++ b/ssh.1 | ||
245 | @@ -1338,6 +1338,8 @@ The file format and configuration options are described in | ||
246 | .Xr ssh_config 5 . | ||
247 | Because of the potential for abuse, this file must have strict permissions: | ||
248 | read/write for the user, and not writable by others. | ||
249 | +It may be group-writable provided that the group in question contains only | ||
250 | +the user. | ||
251 | .Pp | ||
252 | .It Pa ~/.ssh/environment | ||
253 | Contains additional definitions for environment variables; see | ||
254 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
255 | index 135d833..1497cfc 100644 | ||
256 | --- a/ssh_config.5 | ||
257 | +++ b/ssh_config.5 | ||
258 | @@ -1382,6 +1382,8 @@ The format of this file is described above. | ||
259 | This file is used by the SSH client. | ||
260 | Because of the potential for abuse, this file must have strict permissions: | ||
261 | read/write for the user, and not accessible by others. | ||
262 | +It may be group-writable provided that the group in question contains only | ||
263 | +the user. | ||
264 | .It Pa /etc/ssh/ssh_config | ||
265 | Systemwide configuration file. | ||
266 | This file provides defaults for those | ||