From 3a10d87bbd31c40d4a23dba9dfec21fc1e0dc5c5 Mon Sep 17 00:00:00 2001 From: Louis Rannou Date: Thu, 3 Jul 2025 14:14:36 +0200 Subject: [PATCH] openssh: limit read access to sshd_config Enhance security by limiting read access for /etc/sshd_config to user root as it may reveal unsecure configurations. Reading access is limited in the install append as the default value 0644 is hardcoded in the openssh makefile and is not configurable. Therefore the permissions are modified in the install append. Signed-off-by: Louis Rannou Signed-off-by: Antonin Godard --- meta/recipes-connectivity/openssh/openssh_10.0p1.bb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb index a044aec063..2f446b5540 100644 --- a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb @@ -102,7 +102,7 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" do_configure:prepend () { export LD="${CC}" - install -m 0644 ${UNPACKDIR}/sshd_config ${B}/ + install -m 0600 ${UNPACKDIR}/sshd_config ${B}/ install -m 0644 ${UNPACKDIR}/ssh_config ${B}/ } @@ -153,9 +153,12 @@ do_install:append () { install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} + # Limit sshd_config access to the owner (default is 0644) + chmod 0600 ${D}${sysconfdir}/ssh/sshd_config + # Create config files for read-only rootfs install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly install -d ${D}${systemd_system_unitdir} if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then -- 2.47.2