Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Nov 2011 23:14:23 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: /etc/skel/.ssh/authorized_keys

On Wed, Nov 09, 2011 at 03:10:15PM +0400, gremlin@...mlin.ru wrote:
> On 09-Nov-2011 14:56:44 +0400, Solar Designer wrote:
>  > > +%post clients
>  > > +mkdir -p -m 700 /etc/skel/.ssh
>  > > +touch /etc/skel/.ssh/authorized_keys
>  > What for? To provide safe permissions by default, even if one
>  > adjusts the umask to be other than our default of 077?
> 
> Not necessarily. I normally do that for reasons of usability, as
> I encourage users to authorize with keys, and they misspell the
> file name too often.

Oh.  Understood.  But I don't feel this is a good enough reason to make
the change in Owl.  It would be unclear where to stop with providing
empty skel files for those potentially misspelled filenames.

>  > Why in %post rather than in %install and %files?
> 
> To avoid conflicts. The ${subj} may contain preset keys on some
> systems (trivial example: VPS with virtual HTTP sites operated
> by one person) - and it hardly is the "%config(noreplace)" file.

There would be no problem listing this file as %config(noreplace), but
see above - I am not convinced that we want to get this in.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ