Samuel FORESTIER
2025-Mar-14 21:24 UTC
[PATCH] session: Set authentication info file as read-only
From 6a7394cb939b42ebda055c1bf70b54e10067a502 Mon Sep 17 00:00:00 2001 From: Samuel FORESTIER <samuel+dev at forestier.app> Date: Fri, 14 Mar 2025 20:30:00 +0100 Subject: [PATCH] session: Set authentication info file as read-only When 'ExposeAuthInfo' option is enabled, attempt to set the file containing authentication information as read-only (0400 UNIX permissions), as authenticated users should not modify the content of these files. The 'fchmod' operation is performed after writing to the file is complete and in a "best-effort" manner (i.e. it will only be logged if system call fails). This approach is much more simpler than setting the file immutable and reverting it before its removal in 'do_cleanup'. --- session.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/session.c b/session.c index 52a4a3446..5bcf9276a 100644 --- a/session.c +++ b/session.c @@ -286,6 +286,8 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info) error_f("write: %s", strerror(errno)); goto out; } + if (fchmod(fd, S_IRUSR) == -1) + logit("fchmod(): %.100s", strerror(errno)); if (close(fd) != 0) { error_f("close: %s", strerror(errno)); goto out; -- 2.34.1