On Fri, May 14, 2010 at 09:24:50PM -0400, Joey Hess wrote: > I don't really understand the point of checking who can write to the > file but assuming it's general paranoia, I think you weakened it too far > with the user group patch. > > -rw-rw-r-- 1 joey nogroup 1099 Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > oops > > -rw-rw-r-- 1 joey games 1.1K Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > oops > > -rw-rw-r-- 1 joey scanner 1099 Apr 15 19:37 config > j...@gnu:~/.ssh>ssh localhost echo oops > Bad owner or permissions on /home/joey/.ssh/config > > So, it looks like any group with 0 or 1 member is allowed to own file > file, even if the user is not a member. (Here the scanner group has 2 > members.)
Are you sure you aren't a member of group games? $ getent group games games:x:60:cjwatson $ getent group ssl-cert ssl-cert:x:108:postgres $ sudo chgrp games ~/.ssh/config $ ssh localhost echo oops oops $ sudo chgrp ssl-cert ~/.ssh/config $ ssh localhost echo oops Bad owner or permissions on /home/cjwatson/.ssh/config A zero-member group, or any random group containing only the user, should clearly be fine in my book because the ownership of ~/.ssh/config by that group doesn't permit any other user to write to the file. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org