diff options
| author |   markus <markus@openbsd.org> | 2001-09-23 11:09:13 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2001-09-23 11:09:13 +0000 |
| commit | a57a7d6a0f7751703d59549de6c4ffcd0347487b (patch) | |
| tree | 3e1ef0e0631f3ed44ed95409b2b49060a0e42c7c | |
| parent | ipxintr was missing (diff) | |
| download | wireguard-openbsd-a57a7d6a0f7751703d59549de6c4ffcd0347487b.tar.xz wireguard-openbsd-a57a7d6a0f7751703d59549de6c4ffcd0347487b.zip | |
relax permission check for private key files.
| -rw-r--r-- | usr.bin/ssh/authfile.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/usr.bin/ssh/authfile.c b/usr.bin/ssh/authfile.c index be7438b62b9..e24675cb112 100644 --- a/usr.bin/ssh/authfile.c +++ b/usr.bin/ssh/authfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.37 2001/06/23 15:12:17 itojun Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.38 2001/09/23 11:09:13 markus Exp $"); #include <openssl/err.h> #include <openssl/evp.h> @@ -486,15 +486,18 @@ key_perm_ok(int fd, const char *filename) { struct stat st; - /* check owner and modes */ - if (fstat(fd, &st) < 0 || - (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) || - (st.st_mode & 077) != 0) { - close(fd); + if (fstat(fd, &st) < 0) + return 0; + /* + * if a key owned by the user is accessed, then we check the + * permissions of the file. if the key owned by a different user, + * then we don't care. + */ + if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("Bad ownership or mode(0%3.3o) for '%s'.", + error("Permissions 0%3.3o for '%s' are too open.", st.st_mode & 0777, filename); error("It is recommended that your private key files are NOT accessible by others."); error("This private key will be ignored."); |