poor permissions on ssh binary
Geoff Raye
raye at meow.raye.com
Tue Jun 19 09:52:03 EST 2001
I just installed portable openssh 2.9p2, but the issue I have shouldn't
be unique to the portable version.
I built with
% ../configure --prefix=/usr/local/encap/openssh-2.9p2
--sysconfdir=/etc --with-cflags=-O2 --with-tcp-wrappers
--with-ssl-dir=/usr/local --with-md5-passwords --disable-suid-ssh
When it came time to make install, this command was executed:
/usr/local/bin/install -c -m 0711 -s ssh /usr/local/encap/openssh-2.9p2/bin/ssh
I consider it a poor choice of permissions to make ssh be 0711, and I
believe that configure.in should be changed on line 1624:
SSHMODE=0755
would make more sense than
SSHMODE=0711
For that matter, I believe that the suid root binary has no compelling
reason not to be world-readable, either, but I don't know whether there
have been past security implications of this which would warrant keeping
the file unreadable and not copyable.
In any event, keeping non-suid ssh binaries 0711 is a choice which goes
back to the original f-secure/commercial/tatu SSH.
Thank you for your consideration.
Geoff Raye
--
Geoff Raye \ All irregularities will be handled by the forces
geoff at raye.com \ controlling each dimension. Transuranic heavy
\ elements may not be used where there is life.
More information about the openssh-unix-dev
mailing list