From dfd40992e1735ed9b60d4e009185d5b1dc07a7b4 Mon Sep 17 00:00:00 2001
From: Nick Hanley <nicholasjhanley@gmail.com>
Date: Thu, 7 Jul 2022 22:49:09 -0400
Subject: setup-sshd, setup-user: follow openssh permission recommendations

From the OpenSSH man page:
> ~/.ssh/
> ...
> There is no general requirement to keep the entire contents of this
> directory secret, but the recommended permissions are
> read/write/execute for the user, and not accessible by others.
>
> ~/.ssh/authorized_keys
> ...
> This file is not highly sensitive, but the recommended permissions are
> read/write for the user, and not accessible by others.

OpenSSH follows these recommendations when creating these files itself
so we should do the same.
---
 setup-sshd.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'setup-sshd.in')

diff --git a/setup-sshd.in b/setup-sshd.in
index 4dca52f..7e3d6d1 100644
--- a/setup-sshd.in
+++ b/setup-sshd.in
@@ -164,6 +164,7 @@ if [ -n "$authorized_key" -a "$authorized_key" != "none" ]; then
 			authorized_key="$(wget -qO- "$key_url")" || die "Failed to fetch key from '$key_url'"
 			;;
 	esac
+	umask 077
 	mkdir -p "$ROOT"/root/.ssh
 	echo "$authorized_key" >> "$ROOT"/root/.ssh/authorized_keys
 fi
-- 
cgit v1.2.3