From 563974a78e937c4844e1198b5f6d79b8b2b5c600 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch --- auth-rhosts.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'auth-rhosts.c') diff --git a/auth-rhosts.c b/auth-rhosts.c index 0ef344712..c17c13cc1 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -273,8 +273,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam return 0; } if (options.strict_modes && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + !secure_permissions(&st, pw->pw_uid)) { logit("Rhosts authentication refused for %.100s: " "bad ownership or modes for home directory.", pw->pw_name); auth_debug_add("Rhosts authentication refused for %.100s: " @@ -300,8 +299,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam * allowing access to their account by anyone. */ if (options.strict_modes && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + !secure_permissions(&st, pw->pw_uid)) { logit("Rhosts authentication refused for %.100s: bad modes for %.200s", pw->pw_name, buf); auth_debug_add("Bad file modes for %.200s", buf); -- cgit v1.2.3