-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, On 11/25/2015 12:07 PM, Ruediger Meier wrote: > Hi, > > On Tuesday 24 November 2015, Radek Podgorny wrote: >> hello everyone! >> >> i'd like to sincerely ask you to include a fix for ssh-copy-id >> bug i'll be linking below. it's a trivial fix which resolves >> https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life >> of many. it's been field-tested by redhat devs and users so i see >> no problem in incorporating it. >> >> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix >> >> - -ss h-copy-id-on-non-sh-shell.patch > > >>> - umask 077 ; + exec sh -c 'umask 077; mkdir -p .ssh && cat >> >>> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null >>> 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \ - >>> mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; - if >>> type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh >>> .ssh/authorized_keys ; fi" \ > > Does "exec sh -c ..." really make sense in general? People who are > using non-posix login shells where not even "2>&1" or "&&" works > are probably good candidates who would also link /bin/sh to point > to a non-posix shell. > > Personally I think it's hard enough to write POSIX compatible > shell scripts and I wouldn't start to add such hacks for fish and > tcsh. Next week somebody may complain that his "shell" does not > support "exec ...". i wouldn't be afraid of that. i think it's a common practice (no hard numbers for that, thou) that you leave the sh link pointed to posix shell at all times - there's too many things in the wild depending on that. anyway, i wouldn't call it a hack. you need a posix shell on the remote side and this so far the best method to state it. of course, someone may have a relly odd shell with no exec support or have the sh link pointing elsewhere but for such poor guy, the ssh-copy-id is not working today, anyway, so no real "breakage" happens. on the other hand, there's many people who would benefit from this patch and as it's backwards compatible, nothing gets broken for anyone. if - and that may never happen - in the future someone complains about his shell not being supported, let's find a better way. but until then i think this is a safe thing to do. thanks, R. > cu, Rudi > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZVnsQACgkQ7mej6pjlbYQavACeJEeA9swKxO8bzc6B+uCqLntH CNAAoKh5r/n2BrkeefN2H7cBc51FyiJk =f/zb -----END PGP SIGNATURE----- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev