ssh disregarding umask for creation of known_hosts (and other files?)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 29 15:19:35 EST 2008 

Hey folks--

When ssh creates a known_hosts file for a user, it disregards the
currently-set umask, and can actually turn on mode bits that the user
has explicitly masked.  While i'm happy to have ssh make files *more*
secure than my umask (in situations where that's reasonable, like the
creation of new ssh keys, etc), i'm not sure that i see the point in
ssh making the files more open than i've explicitly requested.

I found this at ssh.c:256:

	/*
	 * Set our umask to something reasonable, as some files are created
	 * with the default umask.  This will make them world-readable but
	 * writable only by the owner, which is ok for all files for which we
	 * don't set the modes explicitly.
	 */
	umask(022);

Why not simply OR the dangerous writable bits with the current umask
instead:

        umask(022 | umask(0));

This would make sure that we're not creating group- or other-writable
files while still honoring the user's expectations that setting a bit
in the umask will actually mask off that bit.

Regards,

     --dkg

PS Some tests that i ran that demonstrate this surprising behavior:

Here's ssh setting g+r,o+r (explicitly disregarding my umask of 077)
when it creates known_hosts for me (tested with OpenSSH 4.8 on OpenBSD
4.3 and OpenSSH 5.1 on Debian testing):

$ uname -a
OpenBSD openbsdtest.squeak.fifthhorseman.net 4.3 GENERIC#698 i386
$ umask 077
$ ls -l ~/.ssh/known_hosts
ls: /home/dkg/.ssh/known_hosts: No such file or directory
$ ssh monkeysphere.info    
The authenticity of host 'monkeysphere.info (204.13.164.191)' can't be established.
RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to the list of known hosts.
Permission denied (publickey).
$ ls -l ~/.ssh/known_hosts 
-rw-r--r--  1 dkg  dkg  414 Oct 29 00:03 /home/dkg/.ssh/known_hosts
$ umask
077
$ 


wt215 at squeak:~$ uname -a
Linux squeak 2.6.26-1-686 #1 SMP Sat Oct 18 16:22:25 UTC 2008 i686 GNU/Linux
wt215 at squeak:~$ umask 077
wt215 at squeak:~$ ls -l ~/.ssh/known_hosts
ls: cannot access /home/wt215/.ssh/known_hosts: No such file or directory
wt215 at squeak:~$ ssh monkeysphere.info
The authenticity of host 'monkeysphere.info (204.13.164.191)' can't be established.
RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to the list of known hosts.
Permission denied (publickey).
wt215 at squeak:~$ ls -l ~/.ssh/known_hosts
-rw-r--r-- 1 wt215 wt215 884 2008-10-28 23:51 /home/wt215/.ssh/known_hosts
wt215 at squeak:~$ umask
0077
wt215 at squeak:~$ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081029/f24fc798/attachment-0001.bin

More information about the openssh-unix-dev mailing list