Bug 3277

Summary: Global ssh_config file permissions are not checked.
Product: Portable OpenSSH Reporter: balu <balu.gajjala>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: balu.gajjala, djm, dtucker
Priority: P5    
Version: 8.5p1   
Hardware: Other   
OS: Windows 10   
Bug Depends on:    
Bug Blocks: 3302    

Description balu 2021-03-11 12:36:04 AEDT 
This is a rare situation but it can happen by mistake. 

Global ssh_config is not checked for the right file permissions.

If a root user accidentally gives write permissions to non-root users then it leads to undesirable behavior. 

It's a single line change to add "SSHCONF_CHECKPERM" flag while calling read_config_file().

https://github.com/openssh/openssh-portable/blob/2421a567a8862fe5102a4e7d60003ebffd1313dd/ssh.c#L585
Comment 1 Darren Tucker 2021-03-12 13:30:59 AEDT 
I'm wondering if there are use cases where someone might want to do this, eg
 - making ssh_config group writable by an admin group
 - using Match and Include to delegate a subset of the config to another group
Comment 2 Damien Miller 2021-04-23 14:50:15 AEST 
retarget after 8.6p1 release
Comment 3 Damien Miller 2021-07-02 14:50:08 AEST 
I'm inclined to agree and to not add additional checking - ssh should aim to protect the user against misconfiguration, but it's IMO overkill to detect serious admin misconfiguration.

On one hand, as Darren points out, a too strict definition of "misconfiguration" might break working setups.

On the other, how far should a user tool go towards checking the system is in an expected state? Should it check the permissions on /etc/passwd? /dev/*? etc.
Comment 4 Damien Miller 2021-08-12 10:03:44 AEST 
Closing. Feel free to reopen if you have a good argument for this.
Comment 5 Damien Miller 2022-02-25 13:59:07 AEDT 
closing bugs resolved before openssh-8.9