Date: Fri, 22 Jun 2012 20:09:55 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: / owned by bin causes sshd to complain bad ownership Message-ID: <201206221810.q5MI9tuR054055@fire.js.berklix.net> In-Reply-To: Your message "Fri, 22 Jun 2012 19:38:04 %2B0200." <86mx3v2qo3.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote:
> "Julian H. Stacey" <jhs@berklix.com> writes:
> > On an 8.3-RELEASE running sshd, /var/log/auth.log
> > Jun 22 12:54:06 lapr sshd[57505]: Authentication refused:
> > bad ownership or modes for directory /
>
> sshd requires that the user's authorized_keys, the directory it's in
> (~/.ssh) and all its ancestor directories be owned by either the user or
> root.
Yes,
I don't question the "user or" that's fine It's the final "root" I
find strange. I guess whoever wrote sshd was so used to "root"
they never considered "bin" could be better.
>
> > Until I did
> > chown 0:0 /
> > ( It was previously
> > drwxr-xr-x 25 bin bin 1024 Jun 20 19:53 ./
> > )
>
> I don't see why / should be owned by bin;
Actually, I'd agree to some extent, It doesnt Need to be,
would mostly look more orthogonal & optically matching
alongside binary files in same directory also owned by bin.
> bin is intended for system
> binaries and libraries, i.e. {,/usr}/{bin,sbin,lib,libexec}, except
> those that need to be setuid or setgid.
Agreed. That's the why it used to be way back on Unix, & what I
suggest would be better if we returned to, but at least on my systems
here, all the binaries seem to be owned by root. eg currently:
cd /usr/src/usr.bin/wc ; make install
install -s -o root -g wheel -m 555 wc /usr/bin
install -o root -g wheel -m 444 wc.1.gz /usr/share/man/man1
> The directories themselves
> should probably still be owned by root:wheel.
I'd prefer bin by default, though some directories eg for
daemons might need root.
But I'd happily compromise on just getting binaries back to be owned by
bin for now. SShd is not so much what I'my targeting for now, more
that sshd is how I noticed the issue of binary file ownership.
> DES
> --
> Dag-Erling Smørgrav - des@des.no
Cheers,
Julian
--
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
Reply below not above, cumulative like a play script, & indent with "> ".
Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206221810.q5MI9tuR054055>