On 03/06/15 23:10, L. A. Walsh wrote:
It seems something changed (maybe I'm missing a patch)
to turn off this message:
(...)
Each user -- including root, is in their own group, so allowing groups
access to
be the same as user access is policy.
By forcing this protection on my setup, I can't
have the same home directory for my local and domain
users even though they are the same on the server.
But on the win-machine with home mounted directories,
it messes things up and people have to come up with
insecure work-arounds. (...) Am I missing something?
You need to apply
https://sources.debian.net/src/openssh/1:6.7p1-6/debian/patches/user-group-modes.patch/
I was convinced it was available as a ./configure switch but turns out
it isn't upstreamed.
Darren, Damien could you reconsider the decision of not accepting this
relatively common patch? After reading the discussion at
https://bugzilla.mindrot.org/show_bug.cgi?id=1060 I also think there was
a misunderstanding from your part.
I have reviewed the patch (note it is an improved version than the one
submitted in the bug) and it seems suitable for inclusion.
I recommend however to add a setpwent() just before the getpwent() loop,
to protect against the possibility of some library calling getpwent()
before secure_permissions().
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
