首页 发现 帮助
登录
crispAudio
/
poky
镜像自地址 git://git.yoctoproject.org/poky
5
0
派生 0
文件 工单管理 0 Wiki
浏览代码

openssh: limit read access to sshd_config

Enhance security by limiting read access for /etc/sshd_config to user root as it
may reveal unsecure configurations.

Reading access is limited in the install append as the default value 0644 is
hardcoded in the openssh makefile and is not configurable. Therefore the
permissions are modified in the install append.

(From OE-Core rev: 99c09d29d56cb98f749c2283b5b800de9af98745)

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Louis Rannou 3 月之前
父节点
9a084b728e
当前提交
2ff9b7b6c6
共有 1 个文件被更改,包括 5 次插入2 次删除
分列视图 显示文件统计
  1. 5 2
      meta/recipes-connectivity/openssh/openssh_10.0p1.bb

+ 5 - 2
meta/recipes-connectivity/openssh/openssh_10.0p1.bb
查看文件 

@@ -102,7 +102,7 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 
 do_configure:prepend () {
 
 	export LD="${CC}"
 
-	install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
 
+	install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
 
 	install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
 
 }
 
 
@@ -153,9 +153,12 @@ do_install:append () {
 
 	install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
 
 	install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
 
+	# Limit sshd_config access to the owner (default is 0644)
 
+	chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
 
+
 
 	# Create config files for read-only rootfs
 
 	install -d ${D}${sysconfdir}/ssh
 
-	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 
+	install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 
 
 	install -d ${D}${systemd_system_unitdir}
 
 	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then