The build-time option to allow group writable directories to be OK under StrictModes would be much more useful if it were a runtime option to sshd.
What build-time option?
In O'Reilly's 'SSH: The Secure Shell: The Definitive Guide', is stated: "Even if StrictModes is enabled, though, it can be defeated... First, sshd can be compiled with the flag -- enable-group-writeability [Section 4.1.5.2, "Installation, files, and directories"], which makes group-writable files acceptable to StrictModes. This can be useful for shared accounts, permitting all members of a group to modify SSH-related files in an account." I was under the impression this was referring to OpenSSH. In short, though, regardless of the existence or lack thereof of such a flag, I would like to be able to make group-writable acceptable to StrictModes without having to turn StrictModes off and (so far) I have found no way to do this, hence my feature request.
(In reply to comment #2) > "Even if StrictModes is enabled, though, it can be defeated... First, sshd can > be compiled with the flag -- enable-group-writeability" There's certainly no such option in the current version: $ grep group-writeability configure.ac $ and there's no mention of it in the cvs history either. It's possible that some vendors add somthing along those lines, though. > In short, though, regardless of the existence or lack thereof of such a flag, > I would like to be able to make group-writable acceptable to StrictModes > without having to turn StrictModes off and (so far) I have found no way to do > this, hence my feature request. Maybe "StrictModes yes|no|group"? Or make StrictModes accept a umask-like syntax ("StrictModes 002")?