From aae427a0c7d5702bf294191533ab1f33437a8a56 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch --- readconf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'readconf.c') diff --git a/readconf.c b/readconf.c index 46c343f30..c0ba5a72c 100644 --- a/readconf.c +++ b/readconf.c @@ -39,6 +39,8 @@ #include #include #include +#include +#include #ifdef HAVE_UTIL_H #include #endif @@ -1579,8 +1581,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, if (fstat(fileno(f), &sb) == -1) fatal("fstat %s: %s", filename, strerror(errno)); - if (((sb.st_uid != 0 && sb.st_uid != getuid()) || - (sb.st_mode & 022) != 0)) + if (!secure_permissions(&sb, getuid())) fatal("Bad owner or permissions on %s", filename); } -- cgit v1.2.3