- markus@cvs.openbsd.org 2001/09/23 11:09:13

     [authfile.c]
     relax permission check for private key files.

diff --git a/authfile.c b/authfile.c
index b4b985c95a1f250fec8528ce1db9e798144b2cb0..cf2957dde1494e6cda769f32d1918b09646a4b61 100644 (file)
--- a/authfile.c
+++ b/authfile.c
@@ -36,7 +36,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.37 2001/06/23 15:12:17 itojun Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.38 2001/09/23 11:09:13 markus Exp $");
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -486,18 +486,21 @@ key_perm_ok(int fd, const char *filename)
 {
        struct stat st;
 
-       /* check owner and modes */
+       if (fstat(fd, &st) < 0)
+               return 0;
+       /*
+        * if a key owned by the user is accessed, then we check the
+        * permissions of the file. if the key owned by a different user,
+        * then we don't care.
+        */
 #ifdef HAVE_CYGWIN
        if (check_ntsec(filename))
 #endif
-       if (fstat(fd, &st) < 0 ||
-           (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) ||
-           (st.st_mode & 077) != 0) {
-               close(fd);
+       if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-               error("Bad ownership or mode(0%3.3o) for '%s'.",
+               error("Permissions 0%3.3o for '%s' are too open.",
                    st.st_mode & 0777, filename);
                error("It is recommended that your private key files are NOT accessible by others.");
                error("This private key will be ignored.");