From 07d17ca189fcf3cc44b7706040b05ca8135c3b85 Mon Sep 17 00:00:00 2001 From: Jose Luis Duran Date: Tue, 23 Jul 2024 08:59:09 +0000 Subject: [PATCH] nuageinit: Set recommended SSH permissions As stated in sshd(8), the recommended permissions for ~/.ssh are read/write/execute for the user, and not accessible by others; and the recommended permissions for ~/.ssh/authorized_keys are read/write for the user, and not accessible by others. --- libexec/nuageinit/nuage.lua | 2 ++ libexec/nuageinit/tests/nuage.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua index 81fb40c0d8eb..10451dc0bdc4 100644 --- a/libexec/nuageinit/nuage.lua +++ b/libexec/nuageinit/nuage.lua @@ -205,9 +205,11 @@ local function addsshkey(homedir, key) f:write(key .. "\n") f:close() if chownak then + os.execute("chmod 0600 " .. ak_path) pu.chown(ak_path, dirattrs.uid, dirattrs.gid) end if chowndotssh then + os.execute("chmod 0700 " .. dotssh_path) pu.chown(dotssh_path, dirattrs.uid, dirattrs.gid) end end diff --git a/libexec/nuageinit/tests/nuage.sh b/libexec/nuageinit/tests/nuage.sh index bbf306eae51f..531c171a3271 100644 --- a/libexec/nuageinit/tests/nuage.sh +++ b/libexec/nuageinit/tests/nuage.sh @@ -17,6 +17,8 @@ addsshkey_body() { if [ ! -f .ssh/authorized_keys ]; then atf_fail "ssh key not added" fi + atf_check -o inline:".ssh: 040700 [drwx------ ] -> 040700 [drwx------ ]\n" chmod -vv 0700 .ssh + atf_check -o inline:".ssh/authorized_keys: 0100600 [-rw------- ] -> 0100600 [-rw------- ]\n" chmod -vv 0600 .ssh/authorized_keys atf_check -o inline:"mykey\n" cat .ssh/authorized_keys atf_check /usr/libexec/flua $(atf_get_srcdir)/addsshkey.lua atf_check -o inline:"mykey\nmykey\n" cat .ssh/authorized_keys