relaxing access rights verifications
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Sun Apr 22 15:39:49 EST 2001
[..]
>
> So here is a patch to permit :
> . file readable by group if owned by root
> . directories writeable by group if owned by root
>
> I added two functions temporarily_use_gid and restore_gid to permit to
> access the authorized_keys2 file. The gid used is the primary group of the
> user.
>
You'll have to maintain this yourself. The topic of GID readable keys
has come up quite a bit over the last month or so and the final word
seems to be 'No'.
I have no real stand on it because I don't need such functinality, but
I think having such a feature native may encourage wrong solutions to be
deployed. <shrug>
> This patch fixes only the cases I met.
>
> Here is an up to date chroot patch for 2.5.2p2 too.
>
It would be nicer of the chroot patch was updated in relationship to the
current snapshots/cvs release (http://www.openssh.com/portable.html).
After this release is done (and if I can get time), I'd like to look at a
different approach to chrooting and sftp. After thinking about it, I
think the better solution is to do chroot in the sftp-server software and
not in ssh. Mainly because I don't feel one should have Users+1 copies of
sftp-server floating around. It's a managing nightmare.
If it is accepted by OpenBSD folks is a different story. <shrug> But
if not and if there is enough interest I may provide it in contrib/.
- Ben
More information about the openssh-unix-dev
mailing list