From d61e316833eb7d05b0b5c937bfce8ee0f19dc7cb Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 22 May 2010 22:43:47 +0100 Subject: Allow ~/.ssh/authorized_keys and other secure files to be group-writable, provided that the group in question contains only the file's owner; this extends a patch previously applied to ~/.ssh/config (closes: #581919). --- auth.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'auth.c') diff --git a/auth.c b/auth.c index 54f4548f1..a188b891e 100644 --- a/auth.c +++ b/auth.c @@ -385,8 +385,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && (stat(user_hostfile, &st) == 0) && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + !secure_permissions(&st, pw->pw_uid)) { logit("Authentication refused for %.100s: " "bad owner or modes for %.200s", pw->pw_name, user_hostfile); @@ -438,8 +437,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || - (st.st_mode & 022) != 0) { + !secure_permissions(&st, uid)) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); return -1; @@ -455,8 +453,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, debug3("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || - (st.st_mode & 022) != 0) { + !secure_permissions(&st, uid)) { snprintf(err, errlen, "bad ownership or modes for directory %s", buf); return -1; -- cgit v1.2.3