Bug#581697: allows group-writable files owned by random groups
On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote:
> I don't really understand the point of checking who can write to the
> file but assuming it's general paranoia, I think you weakened it too far
> with the user group patch.
>
> -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config
> joey@gnu:~/.ssh>ssh localhost echo oops
> oops
>
> -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config
> joey@gnu:~/.ssh>ssh localhost echo oops
> oops
>
> -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config
> joey@gnu:~/.ssh>ssh localhost echo oops
> Bad owner or permissions on /home/joey/.ssh/config
>
> So, it looks like any group with 0 or 1 member is allowed to own file
> file, even if the user is not a member. (Here the scanner group has 2 members.)
Are you sure you aren't a member of group games?
$ getent group games
games:x:60:cjwatson
$ getent group ssl-cert
ssl-cert:x:108:postgres
$ sudo chgrp games ~/.ssh/config
$ ssh localhost echo oops
oops
$ sudo chgrp ssl-cert ~/.ssh/config
$ ssh localhost echo oops
Bad owner or permissions on /home/cjwatson/.ssh/config
A zero-member group, or any random group containing only the user,
should clearly be fine in my book because the ownership of ~/.ssh/config
by that group doesn't permit any other user to write to the file.
--
Colin Watson [cjwatson@debian.org]
Reply to: