Not to the best of my knowledge, no. It demands permissions of 0700 or less, and ownership by the users who is trying to authenticate, or it will simply bypass the file and carry on to the next authentication mechanism.
Daniel On Mon, Aug 29, 2011 at 21:01, Luke Kanies <l...@puppetlabs.com> wrote: > SSH won't allow this, will it? > > -- > http://puppetlabs.com/ | +1-615-594-8199 | @puppetmasterd > > On Aug 29, 2011, at 7:34 PM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> We also need to have the option to have the user *not* own the file. >> >> There could be very good reasons to have root own these files. >> >> For instance, when I was at school, it was quite common for people to just >> add each other to their authorized_keys files so that things would be >> "easier". >> >> It would be very nice to be able to prevent this. >> >> Trevor >> >> On 08/29/2011 04:06 PM, Ricky Zhou wrote: >>> On 2011-08-28 08:30:04 AM, wearetherob...@puppetlabs.com wrote: >>>> In order to support use cases where an authorized_key file is written to >>>> a non-standard location, which may not be writable by the user, this patch >>>> removes the step in the flush method that switches users before writing >>>> the authorized_key file to disk. As a result, the authorized_key can now >>>> be written to any location. >>>> >>>> This patch does not change the core functionality of the >>>> ssh_authorized_key type. >>> This seems dangerous, as when the authorized_keys file is in a location >>> that is writable by the user, the user can make it a symlink to say, >>> /etc/shadow and get puppet to write to it. >>> >>> Looking at the rest of this code, there is currently a chown that occurs >>> before privileges are dropped, which looks like it might be a security >>> vulnerability: >>> >>> In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb: >>> >>> unless File.exist?(dir = File.dirname(target)) >>> Puppet.debug "Creating #{dir}" >>> Dir.mkdir(dir, dir_perm) >>> File.chown(uid, nil, dir) >>> end >>> >>> If a user manages to replace the directory with a symlink to /etc right >>> before >>> the chown call, then it will be chowned to the user (chown follows symlinks, >>> lchown does not). >>> >>> The chown and chmod commands at the end of the function are also potentially >>> dangerous, since both of these will follow symlinks. Here's a patch which >>> moves both of these into the block which is run with dropped privileges. I >>> removed the chown call entirely, as it should the file should already be >>> owned >>> by the right user when it's created. >>> >>> Thanks, >>> Ricky >> >> - -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc. >> email: tvaug...@onyxpoint.com >> phone: 410-541-ONYX (6699) >> pgp: 0x6C701E94 >> >> - -- This account not approved for unencrypted sensitive information -- >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> >> iQEcBAEBAgAGBQJOXEBlAAoJECNCGV1OLcypP/sIAIdbfeyvTbLTGmtqqkKJGVMw >> IH0rCKSQbuksCjLH1QH3eZ35tC7SRFlSt7KS5oQIH02WFPiGCEWh64FmT2wKjvJ7 >> xlOySQKB4eIARXUNJzaDlgTzQOz/eJG1HN5vE0mSa6ZfpOQ16B34ayTlkQ5ztqu/ >> m5stu71yfoDk+lStf4U4AyPZZDqlQi0I+0nw3HWNalNFyPcRBhlFXS7oif0mL/DJ >> p4065FObPr1QIKl1APK1+d8gc24wAlUIKMHQ0U4O8eb0A4IKnpCmlUyq4TO1i3V8 >> U3KTyUTFve0egF+i+f27vi1W1xIRe6TTuZtNuZZaJKRERG5877Y256JdJ7IHJHs= >> =L3jo >> -----END PGP SIGNATURE----- >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To post to this group, send email to puppet-dev@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-dev+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-dev?hl=en. >> >> <tvaughan.vcf> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
