On Sun, May 23, 2010 at 07:10:26AM +0100, Colin Watson wrote: > On Sun, May 23, 2010 at 03:16:56AM +0200, Christoph Anton Mitterer wrote: > > On Sat, 2010-05-22 at 19:55 +0100, Colin Watson wrote: > > > It's not completely dropping security. If the user is the only member > > > of a group, then the group-writability confers no additional permissions > > > and it's OK to allow it. > > > > Well I've read the code for the ~/.ssh/config changes,... I mean it > > seems ok at least at a first glance,... but I think it's more or less > > only a heuristic and I guess upstream has it's reasons to not merge > > it... > > Wrong reasons, yes. I corrected a significant mistake in their > objection on the upstream bug and they never responded to that; and they > also don't think that it's important for this part of the system to work > by default (I assume that they don't use systems with user-private > groups). I expect to continue carrying the patch since I am not > persuaded by their arguments.
Incidentally, don't take that the wrong way. I respect upstream and for the most part try to stay as close to them as I can (though the need to carry the GSSAPI patch means there's something of a lower bound here). But I also reserve my own judgement, particularly when problems disproportionately affect Debian. > > And what happens if group memberships changes just during that code > > part? > > I don't see a reason to care. Let's say that all but one user is being > removed from the group: now either the test fails, as it would have done > beforehand, or it passes, as it would do afterwards. Since the test is > essentially just to protect the user from themselves, it doesn't matter > that it races against passwd/group file changes. A further and better reason is that only root can change group memberships. OpenSSH doesn't need to defend against attempts by root to compromise their own system. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org