Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/21/2012 03:49 AM, Richard W.M. Jones wrote: On Tue, Jun 19, 2012 at 10:10:43AM -0400, Neal Becker wrote: Adam Jackson wrote: On 6/19/12 9:01 AM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. Perhaps a better idea is to just have openssh-server install /etc/skel/.ssh with the appropriate permissions. - ajax That doesn't work, see my other reply Can you link to the other reply? I can't see which one you mean ... Rich. If KDE useradd utility is setting up permissions on users homedir as 775, A bugzilla should be opened and maybe mark it as a security issue. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/kcpAACgkQrlYvE4MpobMfdwCgr2W5VWCxNnhUARtuHA6MnlOD HZ4An31bB5QXsNx7ajkYVyX+YRtdZkMX =6b15 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Thu, 2012-06-21 at 00:25 -0500, Dennis Gilmore wrote: El Wed, 20 Jun 2012 22:13:06 -0700 Adam Williamson awill...@redhat.com escribió: On Wed, 2012-06-20 at 18:16 -0600, Dariusz J. Garbowski wrote: On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. It's possible, but seems odd. User accounts are created by firstboot, always. It's the same code, whatever desktop you install and from whatever media. There may be some kind of odd thing going on, but I can't think what off the top of my head. I can poke it a bit more tomorrow... is firstboot using kwin4 when only kde is installed? and is that setting a non default umask? That is one difference, yeah, firstboot uses native window managers. I've no idea why a WM would set a umask, but it's possible, I guess. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Tue, Jun 19, 2012 at 10:10:43AM -0400, Neal Becker wrote: Adam Jackson wrote: On 6/19/12 9:01 AM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. Perhaps a better idea is to just have openssh-server install /etc/skel/.ssh with the appropriate permissions. - ajax That doesn't work, see my other reply Can you link to the other reply? I can't see which one you mean ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. charles zeitler -- Do what thou wilt shall be the whole of the Law. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. Dariusz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On 20/06/12 07:31 PM, Jesse Keating wrote: On 06/20/2012 05:16 PM, Dariusz J. Garbowski wrote: On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. Dariusz Are you creating users through a KDE utility? No. In this case we are talking about default user created during F17 installation. I'm guessing that maybe KDE does something naughty? In addition, just an hour ago, I tested useradd and s-c-u, both create user home with 700 permissions. Haven't tested KDE utility. Frankly, I don't even know which utility would that be (personally I use useradd for this stuff). -- Dariusz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Wed, 2012-06-20 at 18:16 -0600, Dariusz J. Garbowski wrote: On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. It's possible, but seems odd. User accounts are created by firstboot, always. It's the same code, whatever desktop you install and from whatever media. There may be some kind of odd thing going on, but I can't think what off the top of my head. I can poke it a bit more tomorrow... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Wed, 2012-06-20 at 20:09 -0600, Dariusz J. Garbowski wrote: On 20/06/12 07:31 PM, Jesse Keating wrote: On 06/20/2012 05:16 PM, Dariusz J. Garbowski wrote: On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. Dariusz Are you creating users through a KDE utility? No. In this case we are talking about default user created during F17 installation. I'm guessing that maybe KDE does something naughty? Just to be clear, though I've said it elsewhere: remember, you don't actually create any user accounts *during installation*. On a normal workflow, you create them in firstboot on the first boot after installation. During install, you only set the root password. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 El Wed, 20 Jun 2012 22:13:06 -0700 Adam Williamson awill...@redhat.com escribió: On Wed, 2012-06-20 at 18:16 -0600, Dariusz J. Garbowski wrote: On 20/06/12 02:47 PM, Charles Zeitler wrote: On Tue, Jun 19, 2012 at 11:17 PM, Adam Williamson awill...@redhat.com wrote I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net maybe you're not trying hard enough. btw, kde install gave me a 755 ~, and a mix of modes on sub-directories. Bingo! Pattern found? I installed KDE as well, from DVD image. It's possible, but seems odd. User accounts are created by firstboot, always. It's the same code, whatever desktop you install and from whatever media. There may be some kind of odd thing going on, but I can't think what off the top of my head. I can poke it a bit more tomorrow... is firstboot using kwin4 when only kde is installed? and is that setting a non default umask? Dennis -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAk/isEIACgkQkSxm47BaWffuqQCgn2D+I80Rg5rr16U5k5lRUoK0 52YAn1Hen6hghH/vCObL6jNnz1NikzLe =nhBc -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
I'm confused. As long as ~/.ssh is 700 it works for me. On Jun 19, 2012 8:02 AM, Neal Becker ndbeck...@gmail.com wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Not only, but the poor new fedora user, who tries to ssh into his fedora box, won't see any message indicating what is wrong. Only if he/she can be root and read var/log/secure they may learn the reason. This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/19/2012 02:01 PM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. I think it would be better to ensure the directory is created with the correct permissions. The administrator already has control of the StrictModes setting if they want to relax this restriction. Regards, Bryn. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/ggecACgkQ6YSQoMYUY97W+ACfay+Zdd9woIN7OdduzJD9lTb1 kdcAn2PDZRIotmBMeTcjIb1zp5vqsPix =e2zQ -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
Jayson Vaughn wrote: I'm confused. As long as ~/.ssh is 700 it works for me. On Jun 19, 2012 8:02 AM, Neal Becker ndbeck...@gmail.com wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Not only, but the poor new fedora user, who tries to ssh into his fedora box, won't see any message indicating what is wrong. Only if he/she can be root and read var/log/secure they may learn the reason. This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Are you sure?? ls -ld .ssh drwx--. 2 nbecker nbecker 4096 Jun 15 08:25 .ssh ls -ld ~/ drwxrwxr-x. 67 nbecker nbecker 4096 Jun 19 06:54 /home/nbecker/ Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
Bryn M. Reeves wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/19/2012 02:01 PM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. I think it would be better to ensure the directory is created with the correct permissions. The administrator already has control of the StrictModes setting if they want to relax this restriction. Regards, Bryn. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/ggecACgkQ6YSQoMYUY97W+ACfay+Zdd9woIN7OdduzJD9lTb1 kdcAn2PDZRIotmBMeTcjIb1zp5vqsPix =e2zQ -END PGP SIGNATURE- The issue is the admin is likely some poor newb installing fedora on his home computer. I argue the reverse - the knowlegable unix hack can change it to make it stricter. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On 6/19/12 9:01 AM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. Perhaps a better idea is to just have openssh-server install /etc/skel/.ssh with the appropriate permissions. - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
Adam Jackson wrote: On 6/19/12 9:01 AM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. Perhaps a better idea is to just have openssh-server install /etc/skel/.ssh with the appropriate permissions. - ajax That doesn't work, see my other reply -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
Neal Becker wrote: Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker Looks like a new change in OpenSSH then, which is IMHO a regression, unless there's a clear security vulnerability being addressed there. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Jun 19, 2012 8:46 AM, Neal Becker ndbeck...@gmail.com wrote: Jayson Vaughn wrote: I'm confused. As long as ~/.ssh is 700 it works for me. On Jun 19, 2012 8:02 AM, Neal Becker ndbeck...@gmail.com wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Not only, but the poor new fedora user, who tries to ssh into his fedora box, won't see any message indicating what is wrong. Only if he/she can be root and read var/log/secure they may learn the reason. This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Are you sure?? ls -ld .ssh drwx--. 2 nbecker nbecker 4096 Jun 15 08:25 .ssh ls -ld ~/ drwxrwxr-x. 67 nbecker nbecker 4096 Jun 19 06:54 /home/nbecker/ Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Well, yes it works for me however my home directories are not created with 775 permissions by default. Everytime I use useradd the home directory is created as 700 - as it should be. Your home directories are created with permissions 775 by default? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Jun 19, 2012 10:07 AM, Jayson Vaughn vaughn.jay...@gmail.com wrote: On Jun 19, 2012 8:46 AM, Neal Becker ndbeck...@gmail.com wrote: Jayson Vaughn wrote: I'm confused. As long as ~/.ssh is 700 it works for me. On Jun 19, 2012 8:02 AM, Neal Becker ndbeck...@gmail.com wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Not only, but the poor new fedora user, who tries to ssh into his fedora box, won't see any message indicating what is wrong. Only if he/she can be root and read var/log/secure they may learn the reason. This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Are you sure?? ls -ld .ssh drwx--. 2 nbecker nbecker 4096 Jun 15 08:25 .ssh ls -ld ~/ drwxrwxr-x. 67 nbecker nbecker 4096 Jun 19 06:54 /home/nbecker/ Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Well, yes it works for me however my home directories are not created with 775 permissions by default. Everytime I use useradd the home directory is created as 700 - as it should be. Your home directories are created with permissions 775 by default? What is your UMASK value in /etc/login.defs? It should be 077, which creates the home directories as 700. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On 6/19/12 11:02 AM, Kevin Kofler wrote: Neal Becker wrote: Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker Looks like a new change in OpenSSH then, which is IMHO a regression, unless there's a clear security vulnerability being addressed there. So, having actually bothered to read and think about the code now, the thing it's addressing is that if we're in the same group I can rename directories in your ~. If there are any other files you own but I can write to (in directories I can write to), then I can clobber them with my pubkey and rename them to authorized_keys. If there's another directory you own but I can write to, I can install that directory as your ~/.ssh. Then I ssh to the machine with my own pubkey and suddenly I can log in as you. Which isn't normally a thing, the way we work, because the group that owns your ~/.ssh is composed solely of you. But sshd doesn't do the getgrent() thing to verify that, so it has no choice but to assume that group-writable directories are potential uid escalation attacks. The code's not wrong, it's just perhaps not as right as it could be. That said, since one's ~ is normally group-owned by a group consisting solely of one user, defaulting it to 755 instead of 775 would make sshd happy without any real side effects. - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/19/2012 04:02 PM, Kevin Kofler wrote: Neal Becker wrote: Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad ownership or modes for directory /home/nbecker Looks like a new change in OpenSSH then, which is IMHO a regression, unless there's a clear security vulnerability being addressed there. OpenSSH has behaved this way as long as I have been using it (I just checked and even sshd_config on a Fedora Core *1* box has the StrictModes option). There's nothing new here at all. Regards, Bryn. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/gmHYACgkQ6YSQoMYUY94UXQCeO0O40DMuJIKZqeCtU2hlKoWL pN0An0QhOTzEncpsFedXeq0OtQJAHUnS =ffof -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/19/2012 02:47 PM, Neal Becker wrote: Bryn M. Reeves wrote: On 06/19/2012 02:01 PM, Neal Becker wrote: This is rediculous. I liked the idea of 775 when it was introduced, since it did solve an annoyance with the old unix groups. But then we should make the default fedora install work by setting the sshd config to allow it to accept this setup. I think it would be better to ensure the directory is created with the correct permissions. The administrator already has control of the StrictModes setting if they want to relax this restriction. The issue is the admin is likely some poor newb installing fedora on his home computer. I argue the reverse - the knowlegable unix hack can change it to make it stricter. Then that's a policy change that should be proposed and reviewed. It's not a bug and there is nothing to fix. The current behaviour is long standing not only in Fedora but in the usptream project that we are packaging. If you'd like to change that policy I'd submit an RFE to the Fedora openssh maintainers but I wouldn't be too surprised if it was rejected. Imho the issue you describe is better dealt with through documentation for newbie admins than by changing a default that would be hazardous for some common configurations. Regards, Bryn. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/gmbwACgkQ6YSQoMYUY97fcwCgwyNUXnkcfYVHnt9v+l/H9sQA O0YAnj6uxrJb0bBqrSzgkHyzz7+CYRYA =hSci -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
Neal Becker wrote: It's been true for a long time that fedora sets up home dir as 775. No, it is not true. $ grep UMASK /etc/login.defs UMASK 077 This setting has been in effect as far back as Fedora 6 and possibly much farther. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Tue, 2012-06-19 at 09:01 -0400, Neal Becker wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Creating the home dirs with 775 mode is actually a bug or misconfiguration on your side. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/19/2012 01:02 PM, Tomas Mraz wrote: On Tue, 2012-06-19 at 09:01 -0400, Neal Becker wrote: It's been true for a long time that fedora sets up home dir as 775. But ssh, with default settings, won't allow public keys to work when home dir has mode 775. Creating the home dirs with 775 mode is actually a bug or misconfiguration on your side. Yes allowing any user to list/read any content in your home dir would be a bad default. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/g8ScACgkQrlYvE4MpobMhugCePkkYjX60nwANj3phP6V7Gcah HsoAni8eaE13OaQhs3s/3Uhvd6G7v68c =FbIV -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Tue, 19 Jun 2012 23:37:43 +0200, Daniel J Walsh wrote: Yes allowing any user to list/read any content in your home dir would be a bad default. Why? It would be different default, it would be the default that always has been that way on UNIces. It is useful to learn how other users have configured this or that rc file on that machine. ~/Mail always was 700. Jan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: time to fix silly ssh bug
On Tue, 2012-06-19 at 18:36 -0600, Dariusz J. Garbowski wrote: On 19/06/12 04:01 PM, Jan Kratochvil wrote: On Tue, 19 Jun 2012 23:37:43 +0200, Daniel J Walsh wrote: Yes allowing any user to list/read any content in your home dir would be a bad default. And yet my latest F17 installation ended up with 755 for my home dir, even though umask in /etc/login.defs is 077. A bug in Anaconda? Why? It would be different default, it would be the default that always has been that way on UNIces. It is useful to learn how other users have configured this or that rc file on that machine. ~/Mail always was 700. Fedora 16 created user homes with 700, Fedora 17 did 755 for my user. If it's not a bug then I can't see anything about this change in F17 release notes. Am I missing something? I just tested a fresh install from F17 desktop live; the /home/user directory created after firstboot is 700. /home/user created by s-c-u is 700. /home/user created by useradd is 700. /home/user created by GNOME account tool is 700. So I can't recreate a 755 user dir in any way. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel