Bug#581434: UPG and the default umask
On 15/05/2010 03:12, Joey Hess wrote: Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys vdanj...@eyak:~$ chmod -Rv g-w .ssh/authorized_keys le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--). vdanj...@eyak:~$ ssh localhost You have mail. Last login: Tue May 11 17:10:30 2010 vdanj...@eyak:~$ My system is in UPG but I was using default umask 022 FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3. See #314347. It was changed to allow group-writable files if the owner is the only member in the group. Somethink is wrong here. Should 314347 be reopened ? vdanj...@eyak:~$ LC_ALL=C apt-cache policy openssh-server openssh-server: Installed: 1:5.5p1-3 Candidate: 1:5.5p1-3 Version table: *** 1:5.5p1-3 0 500 http://ftp.fr.debian.org unstable/main Packages 500 http://ftp.fr.debian.org testing/main Packages 100 /var/lib/dpkg/status 1:5.1p1-5 0 500 http://ftp.fr.debian.org stable/main Packages 1:4.3p2-9etch3 0 500 http://ftp.fr.debian.org oldstable/main Packages vdanj...@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean' vdanjean:x:1000: vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash vdanj...@eyak:~$ -- Vincent Danjean GPG key ID 0x9D025E87 vdanj...@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581434: UPG and the default umask
On 13/05/2010 19:45, Aaron Toponce wrote: On 5/13/2010 3:48 AM, Santiago Vila wrote: Will be done in base-files 5.4. I just saw the change committed. Thank you very much! This is good news. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581434#25 I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys vdanj...@eyak:~$ chmod -Rv g-w .ssh/authorized_keys le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--). vdanj...@eyak:~$ ssh localhost You have mail. Last login: Tue May 11 17:10:30 2010 vdanj...@eyak:~$ My system is in UPG but I was using default umask 022 Regards Vincent -- Vincent Danjean GPG key ID 0x9D025E87 vdanj...@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581434: UPG and the default umask
Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys maildrop has the same problem with .mailfilter files. -- see shy jo signature.asc Description: Digital signature
Bug#581434: UPG and the default umask
On Fri, May 14, 2010 at 01:21:41PM -0400, Joey Hess wrote: Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys maildrop has the same problem with .mailfilter files. As does exim with .forward files. Should this be reported as a bug against exim, now that the default umask will change? Andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581434: UPG and the default umask
On Fri, 14 May 2010, Joey Hess wrote: Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys maildrop has the same problem with .mailfilter files. Problems like that are expected to happen, and I think we should be ready to fix them as they are found, so that the umask setting can really be a choice of the system admin, not an imposition of certain key programs who do not work well enough on systems having UPG and a default umask of 002. I remember that procmail had a similar problem, and the author implemented a build macro for systems having UPG. From the changelog: 1999/03/02: v3.12 Changes to procmail: - Don't use $HOME/.procmailrc if it's group-writable or in a group-writable directory, unless it's the user's default group and GROUP_PER_USER is set in config.h -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581434: UPG and the default umask
On Sat, 15 May 2010, Andreas Hemel wrote: On Fri, May 14, 2010 at 01:21:41PM -0400, Joey Hess wrote: Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys maildrop has the same problem with .mailfilter files. As does exim with .forward files. Should this be reported as a bug against exim, now that the default umask will change? I think so. Ideally, we should support both 022 and 002 as umask. Unfortunately, we have been using 022 for so long that we don't even know what things have to be changed so that everything works when umask is 002. So, for practical purposes, setting 002 as the default umask is probably the best (or maybe just the only) way to discover what needs to be fixed when the umask is 002. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581434: UPG and the default umask
Vincent Danjean wrote: I'm happy with this move. However, there is still an interaction with ssh to deal with: vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys vdanj...@eyak:~$ ssh localhost vdanj...@localhost's password: And, in /var/log/auth.log: May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys vdanj...@eyak:~$ chmod -Rv g-w .ssh/authorized_keys le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--). vdanj...@eyak:~$ ssh localhost You have mail. Last login: Tue May 11 17:10:30 2010 vdanj...@eyak:~$ My system is in UPG but I was using default umask 022 FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3. See #314347. It was changed to allow group-writable files if the owner is the only member in the group. -- see shy jo signature.asc Description: Digital signature
