Risk of StrictMode (but read only)

Jim Knoble jmknoble at pobox.com
Thu Jul 17 04:03:07 EST 2008 

Circa 2008-07-16 13:32 dixit Jim Knoble:

:     mkdir -p /etc/ssh/auth/alice /etc/ssh/auth/bob
:     chmod 0400 /etc/ssh/auth/alice
:     chown alice:0 /etc/ssh/auth/alice
:     chmod 0400 /etc/ssh/auth/bob
:     chown bob:0 /etc/ssh/auth/bob

And, of course, i wasn't thinking clearly.  There are at least two
problems with the above:

    (1) For the purpose above, '0500' is the right mode (make directories
        searchable):

            chmod 0500 /etc/ssh/auth/alice
            chmod 0500 /etc/ssh/auth/bob

    (2) Making the users the owner of the directory enables them to
        change the permissions of the directory.  That, in turn, enables
        them to change any files contained in it.  If that's not what
        you want, you are better off adding each user to their own group
        (as is done by default on many modern Linux-based systems), then
        changing directory ownership to that group and setting
        permissions accordingly.  Example:

            groupadd alice
            GROUPS=`id -Gn alice |sed -e 's/  */,/g'`
            GROUPS=${GROUPS:+${GROUPS},}
            usermod -G ${GROUPS}alice alice
            mkdir -p /etc/ssh/auth/alice
            chmod 0750 /etc/ssh/auth/alice
            chown 0:alice /etc/ssh/auth/alice

        Your mileage may vary, depending on whether groupadd and usermod
        are available (you may need to manipulate /etc/groups directly).

: Now alice can read her own /etc/ssh/auth/alice/authorized_keys file, but
: can't read bob's.
: 
: You could even use this to allow specific users to maintain their own
: authorized_keys file, if you so desire.

Which is possible by:

    mkdir -p /etc/ssh/auth/alice
    chmod 0700 /etc/ssh/auth/alice
    chown alice:alice /etc/ssh/auth/alice

Best,
Jim

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+

More information about the openssh-unix-dev mailing list