setup-sshd, setup-user: follow openssh permission recommendations

From the OpenSSH man page: > ~/.ssh/ > ... > There is no general requirement to keep the entire contents of this > directory secret, but the recommended permissions are > read/write/execute for the user, and not accessible by others. > > ~/.ssh/authorized_keys > ... > This file is not highly sensitive, but the recommended permissions are > read/write for the user, and not accessible by others. OpenSSH follows these recommendations when creating these files itself so we should do the same.
author: Nick Hanley <nicholasjhanley@gmail.com> 2022-07-07 22:49:09 -0400
committer: Natanael Copa <ncopa@alpinelinux.org> 2022-07-12 11:55:26 +0000
commit: dfd40992e1735ed9b60d4e009185d5b1dc07a7b4 (patch)
tree: d0a70dea9118bf9fec92f114d65afc8eb3470c54 /setup-user.in
parent: a7b906d81470edeec05cf95000fb86235a304b3e (diff)
download: alpine-conf-dfd40992e1735ed9b60d4e009185d5b1dc07a7b4.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/setup-user.in b/setup-user.in
index c39c15b..82c2f38 100644
--- a/setup-user.in
+++ b/setup-user.in
@@ -131,9 +131,13 @@ else
 fi
 
 if [ -n "$sshkeys" ] && [ "$sshkeys" != "none" ]; then
-	mkdir -p "$ROOT"/home/$username/.ssh
-	echo "$sshkeys" > "$ROOT"/home/$username/.ssh/authorized_keys
-	$MOCK chown -R $username:$username "$ROOT"/home/$username/.ssh
+	ssh_directory="$ROOT"/home/$username/.ssh
+	(
+		umask 077
+		mkdir -p "$ssh_directory"
+		echo "$sshkeys" > "$ssh_directory"/authorized_keys
+	)
+	$MOCK chown -R $username:$username "$ssh_directory"
 fi
 
 if [ -n "$groups" ] && [ "$groups" != "none" ]; then
author	Nick Hanley <nicholasjhanley@gmail.com>	2022-07-07 22:49:09 -0400
committer	Natanael Copa <ncopa@alpinelinux.org>	2022-07-12 11:55:26 +0000
commit	dfd40992e1735ed9b60d4e009185d5b1dc07a7b4 (patch)
tree	d0a70dea9118bf9fec92f114d65afc8eb3470c54 /setup-user.in
parent	a7b906d81470edeec05cf95000fb86235a304b3e (diff)
download	alpine-conf-dfd40992e1735ed9b60d4e009185d5b1dc07a7b4.zip