On 03/06/15 23:10, L. A. Walsh wrote:> It seems something changed (maybe I'm missing a patch)
> to turn off this message:
(...)> Each user -- including root, is in their own group, so allowing groups
> access to
> be the same as user access is policy.
>
> By forcing this protection on my setup, I can't
> have the same home directory for my local and domain
> users even though they are the same on the server.
>
> But on the win-machine with home mounted directories,
> it messes things up and people have to come up with
> insecure work-arounds. (...) Am I missing something?
You need to apply
https://sources.debian.net/src/openssh/1:6.7p1-6/debian/patches/user-group-modes.patch/
I was convinced it was available as a ./configure switch but turns out
it isn't upstreamed.
Darren, Damien could you reconsider the decision of not accepting this
relatively common patch? After reading the discussion at
https://bugzilla.mindrot.org/show_bug.cgi?id=1060 I also think there was
a misunderstanding from your part.
I have reviewed the patch (note it is an improved version than the one
submitted in the bug) and it seems suitable for inclusion.
I recommend however to add a setpwent() just before the getpwent() loop,
to protect against the possibility of some library calling getpwent()
before secure_permissions().