]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commitdiff
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2d21762)
openssh: limit read access to sshd_config
authorLouis Rannou <louis.rannou@non.se.com>
Thu, 3 Jul 2025 12:14:36 +0000 (14:14 +0200)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Mon, 7 Jul 2025 21:12:47 +0000 (22:12 +0100)
Enhance security by limiting read access for /etc/sshd_config to user root as it
may reveal unsecure configurations.

Reading access is limited in the install append as the default value 0644 is
hardcoded in the openssh makefile and is not configurable. Therefore the
permissions are modified in the install append.

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/recipes-connectivity/openssh/openssh_10.0p1.bb patch | blob | blame | history

diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index a044aec063e364d383d437909b80f0e2871ca532..2f446b554031ec4233e65d97538a10fa64e91838 100644 (file)
--- a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -102,7 +102,7 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
        export LD="${CC}"
-       install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
+       install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
        install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
 }
 
@@ -153,9 +153,12 @@ do_install:append () {
        install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
        install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
+       # Limit sshd_config access to the owner (default is 0644)
+       chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
+
        # Create config files for read-only rootfs
        install -d ${D}${sysconfdir}/ssh
-       install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+       install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 
        install -d ${D}${systemd_system_unitdir}
        if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
Mirror of git://git.openembedded.org/openembedded-core-contrib