From 99c09d29d56cb98f749c2283b5b800de9af98745 Mon Sep 17 00:00:00 2001
From: Louis Rannou <louis.rannou@non.se.com>
Date: Thu, 3 Jul 2025 14:14:36 +0200
Subject: [PATCH] openssh: limit read access to sshd_config

Enhance security by limiting read access for /etc/sshd_config to user root as it
may reveal unsecure configurations.

Reading access is limited in the install append as the default value 0644 is
hardcoded in the openssh makefile and is not configurable. Therefore the
permissions are modified in the install append.

Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/openssh/openssh_10.0p1.bb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index a044aec063e..2f446b55403 100644
--- a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -102,7 +102,7 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
 	export LD="${CC}"
-	install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
+	install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
 	install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
 }
 
@@ -153,9 +153,12 @@ do_install:append () {
 	install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
 	install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
+	# Limit sshd_config access to the owner (default is 0644)
+	chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
+
 	# Create config files for read-only rootfs
 	install -d ${D}${sysconfdir}/ssh
-	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+	install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 
 	install -d ${D}${systemd_system_unitdir}
 	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
-- 
2.47.3