how to have ssh not disable local security policy?

Ángel González keisial at gmail.com
Thu Jun 4 09:13:16 AEST 2015


On 03/06/15 23:10, L. A. Walsh wrote:
> It seems something changed (maybe I'm missing a patch)
> to turn off this message:
(...)
> Each user -- including root, is in their own group, so allowing groups 
> access to
> be the same as user access is policy.
>
> By forcing this protection on my setup, I can't
> have the same home directory for my local and domain
> users even though they are the same on the server.
>
> But on the win-machine with home mounted directories,
> it messes things up and people have to come up with
> insecure work-arounds.  (...)  Am I missing something?
You need to apply 
https://sources.debian.net/src/openssh/1:6.7p1-6/debian/patches/user-group-modes.patch/

I was convinced it was available as a ./configure switch but turns out 
it isn't upstreamed.
Darren, Damien could you reconsider the decision of not accepting this 
relatively common patch? After reading the discussion at 
https://bugzilla.mindrot.org/show_bug.cgi?id=1060 I also think there was 
a misunderstanding from your part.

I have reviewed the patch (note it is an improved version than the one 
submitted in the bug) and it seems suitable for inclusion.
I recommend however to add a setpwent() just before the getpwent() loop, 
to protect against the possibility of some library calling getpwent() 
before secure_permissions().



More information about the openssh-unix-dev mailing list