On Mon, May 17, 2010 at 06:32:51PM +0200, Christoph Anton Mitterer wrote: > On Mon, 2010-05-17 at 10:31 +0200, Vincent Danjean wrote: > > Base-files package just switched to umask 002 by default for new install > > (see #248140 and discussion in d-devel). However, with this setup, > > openssh-server babdly behave. It is similar to #314347 that was opened > > for openssh-client and permission chechs for $HOME/.ssh/config. > > The fix for this bug should probably be similar. > > So do you suggest that also group-readable/writable authorized_keys > files should be accepted by openssh? > > You probably know that I was already one of the strong opponents of the > recent umask changes,... but this would go really to far. > > It's not guaranteed that a system uses UPGs (old systems) neither that a > user will keep this setup (new systems). > > Requiring special permissions for some files was done for good reason. > Debian shouldn't completely drop security just for awkward user/group > setups.
It's not completely dropping security. If the user is the only member of a group, then the group-writability confers no additional permissions and it's OK to allow it. Debian's openssh package has done this for ~/.ssh/config for some time and it's been fine - it's just a matter of extending that. Let's not over-exaggerate things. Cheers, -- Colin Watson [[email protected]] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
