Bug#119886: marked as done (openssh: sshd StrictModes disallows g+w contradicting debian group per user setup)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 2 Apr 2017 02:54:35 +0100
with message-id <[🔎] 20170402015435.GA9655@riva.ucam.org>
and subject line Re: Bug#119886: openssh-server: Encountered this problem with backup-manager
has caused the Debian Bug report #119886,
regarding openssh: sshd StrictModes disallows g+w contradicting debian group per user setup
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
119886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=119886
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: openssh: sshd StrictModes disallows g+w contradicting debian group per user setup
• From: brian@ithil.org
• Date: 16 Nov 2001 21:12:42 -0000
• Message-id: <20011116211242.10596.qmail@splurgle.freeserve.co.uk>

Package: openssh
Version: N/A
Severity: normal

The /etc/ssh/sshd_config StrictModes setting, which checks for a
world-writable user .ssh directory, also detects a group writable
bit set on the home directory, and disallows public key access.
Debian is set up with per user groups, so I think this should be
changed in the debian package, to ignore the group bit.

Motivation - I want to use this feature to have a master/slave user
setup, to provide some degree of application sand boxing. The master
user becomes a member of the slave's group, and the slave has group
writable and setgroup set on its home directory, so the master has 
complete access. Ideally, I give the master ssh access to the slave,
for ease of running applications.

-- System Information
Debian Release: testing/unstable
Kernel Version: Linux anor 2.2.18pre9 #15 Mon Feb 5 16:50:45 GMT 2001 i586 unknown

--- End Message ---

--- Begin Message ---

• To: Josh Triplett <josh@freedesktop.org>, 119886@bugs.debian.org
• Subject: Re: Bug#119886: openssh-server: Encountered this problem with backup-manager
• From: Colin Watson <cjwatson@debian.org>
• Date: Sun, 2 Apr 2017 02:54:35 +0100
• Message-id: <[🔎] 20170402015435.GA9655@riva.ucam.org>
• In-reply-to: <20080101101905.15698.91565.reportbug@whisper>
• References: <20080101101905.15698.91565.reportbug@whisper>

Source: openssh
Source-Version: 1:5.5p1-4

On Tue, Jan 01, 2008 at 02:19:05AM -0800, Josh Triplett wrote:
> I ran into the same problem when trying to use backup-manager with ssh
> uploads.  I created a user "backup-manager" on the system I want to
> upload the backups to, and since I already had to give that user
> permission to /var/archives, I made /var/archives its home directory.
> However, backup-manager defaults to 0660 permissions on /var/archives,
> making ssh refuse to use /var/archives/.ssh/authorized_keys .
> 
> It would require a bit more work, but I think the *right* solution
> here would involve asking if the group which has write permission to
> the directory contains any users other than the SSH target user.

I just came across this when doing a pass over old bug reports.  Indeed,
that's the right answer, and I implemented it in openssh 1:5.5p1-4 in
response to #581919 (on top of an earlier fix to #314347).  That fixed
this bug too.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---