Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 936038

Summary: net-misc/openssh sets permission 0600 for sshd_config
Product: Gentoo Linux Reporter: Matthias Nagel <matthias.nagel>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=906639
https://bugs.gentoo.org/show_bug.cgi?id=915840
Whiteboard:
Package list:
Runtime testing required: ---

Description Matthias Nagel 2024-07-14 10:57:18 UTC 
The ebuild sets the file permission for sshd_config and all files inside sshd_config.d to 0600. This makes it impossible to run backup scripts as a non-root user. IMHO, file permissions 0640 or even 0644 were adequate for pure configuration files.

These configuration files should never contain any sensitive information which might infringe the security of the system. The only sensitive information are private key files.

Reproducible: Always

Steps to Reproduce:
1. Emerge (or re-emerge during upgrade) net-misc/openssh
Actual Results:  
File permissions for /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/* are set to 0600.

Expected Results:  
File permissions for /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/* are set to 0640 or 0644.
Comment 1 Mike Gilbert gentoo-dev 2024-07-14 14:54:28 UTC 
I will note that the upstream Makefile installs sshd_config with mode 644.

https://github.com/openssh/openssh-portable/blob/V_9_8_P1/Makefile.in#L443
Comment 2 Mike Gilbert gentoo-dev 2024-07-14 15:01:42 UTC 
Gentoo has been setting the mode on sshd_config to 0600 since 2002. No explanation was given in the relevant commit.

https://gitweb.gentoo.org/archive/repo/gentoo-2.git/commit/?id=a2a04fc358934f38698118da30e326443b79acda