| Summary: | StrictModes needs runtime granularity | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Tad Marko <tad> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | NEW --- | ||
| Severity: | enhancement | CC: | cab |
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | All | ||
| OS: | Linux | ||
|
Description
Tad Marko
2005-09-23 05:40:41 AEST
What build-time option? In O'Reilly's 'SSH: The Secure Shell: The Definitive Guide', is stated: "Even if StrictModes is enabled, though, it can be defeated... First, sshd can be compiled with the flag -- enable-group-writeability [Section 4.1.5.2, "Installation, files, and directories"], which makes group-writable files acceptable to StrictModes. This can be useful for shared accounts, permitting all members of a group to modify SSH-related files in an account." I was under the impression this was referring to OpenSSH. In short, though, regardless of the existence or lack thereof of such a flag, I would like to be able to make group-writable acceptable to StrictModes without having to turn StrictModes off and (so far) I have found no way to do this, hence my feature request. (In reply to comment #2) > "Even if StrictModes is enabled, though, it can be defeated... First, sshd can > be compiled with the flag -- enable-group-writeability" There's certainly no such option in the current version: $ grep group-writeability configure.ac $ and there's no mention of it in the cvs history either. It's possible that some vendors add somthing along those lines, though. > In short, though, regardless of the existence or lack thereof of such a flag, > I would like to be able to make group-writable acceptable to StrictModes > without having to turn StrictModes off and (so far) I have found no way to do > this, hence my feature request. Maybe "StrictModes yes|no|group"? Or make StrictModes accept a umask-like syntax ("StrictModes 002")? |