bugzilla-daemon at mindrot.org
2005-Sep-22 19:40 UTC
[Bug 1089] StrictModes needs runtime granularity
http://bugzilla.mindrot.org/show_bug.cgi?id=1089 Summary: StrictModes needs runtime granularity Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: tad at tadland.net The build-time option to allow group writable directories to be OK under StrictModes would be much more useful if it were a runtime option to sshd. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Sep-23 09:34 UTC
[Bug 1089] StrictModes needs runtime granularity
http://bugzilla.mindrot.org/show_bug.cgi?id=1089 ------- Additional Comments From djm at mindrot.org 2005-09-23 19:34 ------- What build-time option? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Sep-23 14:48 UTC
[Bug 1089] StrictModes needs runtime granularity
http://bugzilla.mindrot.org/show_bug.cgi?id=1089 ------- Additional Comments From tad at tadland.net 2005-09-24 00:48 ------- In O'Reilly's 'SSH: The Secure Shell: The Definitive Guide', is stated: "Even if StrictModes is enabled, though, it can be defeated... First, sshd can be compiled with the flag -- enable-group-writeability [Section 4.1.5.2, "Installation, files, and directories"], which makes group-writable files acceptable to StrictModes. This can be useful for shared accounts, permitting all members of a group to modify SSH-related files in an account." I was under the impression this was referring to OpenSSH. In short, though, regardless of the existence or lack thereof of such a flag, I would like to be able to make group-writable acceptable to StrictModes without having to turn StrictModes off and (so far) I have found no way to do this, hence my feature request. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Sep-26 06:27 UTC
[Bug 1089] StrictModes needs runtime granularity
http://bugzilla.mindrot.org/show_bug.cgi?id=1089 ------- Additional Comments From dtucker at zip.com.au 2005-09-26 16:27 ------- (In reply to comment #2)> "Even if StrictModes is enabled, though, it can be defeated... First, sshd can > be compiled with the flag -- enable-group-writeability"There's certainly no such option in the current version: $ grep group-writeability configure.ac $ and there's no mention of it in the cvs history either. It's possible that some vendors add somthing along those lines, though.> In short, though, regardless of the existence or lack thereof of such a flag, > I would like to be able to make group-writable acceptable to StrictModes > without having to turn StrictModes off and (so far) I have found no way to do > this, hence my feature request.Maybe "StrictModes yes|no|group"? Or make StrictModes accept a umask-like syntax ("StrictModes 002")? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 1089] StrictModes needs runtime granularity
- [Bug 1532] New: SSH ignoring "StrictModes no"
- [Bug 988] sshd StrictModes check failed with fs acl
- OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes
- [Bug 2498] New: Allow StrictModes to be controlled by Match