[OpenAFS-devel] User-friendly Mac OS X patch causes SSH hardship

Harald Barth haba@pdc.kth.se
Thu, 08 Feb 2007 10:46:31 +0100 (MET) 

> Normally, we solve this by making a ~/.ssh/private/, moving the private 
> keys into it, and then making symlinks from the old locations to the new 
> ones, and set the ACLs to something like (for user "erlkonig"):

Does that really help? Aren't all directories equally "writable" according
to the mode bits? (Disclaimer: I have no Mac here)

src/afs/VNOPS/afs_vnop_attrs.c

            if (S_ISDIR(attrs->va_mode)) {
                /* all access bits need to be set for directories, since even
                 * a mode 0 directory can still be used normally.
                 */
                attrs->va_mode |= ACCESSPERMS;
            } else {
                /* for other files, replicate the user bits to group and other */
                mode_t ubits = (attrs->va_mode & S_IRWXU) >> 6;
                attrs->va_mode |= ubits | (ubits << 3);
            }

If I read this right, fakedir only changes the mode bits and not what access(2)
returns. Finder only looks at the mode bits only. Ssh (openssh) looks at the
mode bits only. Finder could use access(2). Ssh can't use access(2) because
with that you can't check what "everyone else" is allowed to do. 

authfile.c:

#ifdef HAVE_CYGWIN
        if (check_ntsec(filename))
#endif
        if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                error("Permissions 0%3.3o for '%s' are too open.",
                    (u_int)st.st_mode & 0777, filename);
                error("It is recommended that your private key files are NOT accessible by others.");
                error("This private key will be ignored.");
                return 0;


The check_ntsec() which is used in the cygwin case is not too smart either.

I doubt we want to write the logic into ssh to detect afs and then
look at the ACL and then figure out what it means. And while we're at
it look if the cache manager runs in encrypt mode and so on. *Closes
can of worms* So what would you do? Just detect AFS and then say "it's
probably OK" or make it configurable or what?

Harald.

PS: Und bist du nicht willig, so brauch' ich Gewalt
    http://de.wikisource.org/wiki/Erlk%C3%B6nig