poor permissions on ssh binary

Geoff Raye raye at meow.raye.com
Tue Jun 19 09:52:03 EST 2001

I just installed portable openssh 2.9p2, but the issue I have shouldn't
be unique to the portable version.

I built with
% ../configure --prefix=/usr/local/encap/openssh-2.9p2
--sysconfdir=/etc --with-cflags=-O2 --with-tcp-wrappers
--with-ssl-dir=/usr/local --with-md5-passwords --disable-suid-ssh

When it came time to make install, this command was executed:
/usr/local/bin/install -c -m 0711 -s ssh /usr/local/encap/openssh-2.9p2/bin/ssh

I consider it a poor choice of permissions to make ssh be 0711, and I
believe that configure.in should be changed on line 1624:
would make more sense than

For that matter, I believe that the suid root binary has no compelling
reason not to be world-readable, either, but I don't know whether there
have been past security implications of this which would warrant keeping
the file unreadable and not copyable.

In any event, keeping non-suid ssh binaries 0711 is a choice which goes
back to the original f-secure/commercial/tatu SSH.

Thank you for your consideration.

Geoff Raye

Geoff Raye       \ All irregularities will be handled by the forces
geoff at raye.com    \ controlling each dimension.  Transuranic heavy
                   \ elements may not be used where there is life.

More information about the openssh-unix-dev mailing list