On Sun, May 23, 2010 at 03:16:56AM +0200, Christoph Anton Mitterer wrote: > On Sat, 2010-05-22 at 19:55 +0100, Colin Watson wrote: > > It's not completely dropping security. If the user is the only member > > of a group, then the group-writability confers no additional permissions > > and it's OK to allow it. > > Well I've read the code for the ~/.ssh/config changes,... I mean it > seems ok at least at a first glance,... but I think it's more or less > only a heuristic and I guess upstream has it's reasons to not merge > it...
Wrong reasons, yes. I corrected a significant mistake in their objection on the upstream bug and they never responded to that; and they also don't think that it's important for this part of the system to work by default (I assume that they don't use systems with user-private groups). I expect to continue carrying the patch since I am not persuaded by their arguments. > And what happens if group memberships changes just during that code > part? I don't see a reason to care. Let's say that all but one user is being removed from the group: now either the test fails, as it would have done beforehand, or it passes, as it would do afterwards. Since the test is essentially just to protect the user from themselves, it doesn't matter that it races against passwd/group file changes. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
