Re: Locking down ssh config in large env

On Mon, Sep 20, 2004 at 06:43:29PM -0400, Mason Gibson wrote:
> > On Mon, Sep 13, 2004 at 09:29:14AM -0400, Brett Anderson wrote:
> > > Perhaps you could create the .ssh files for them, have the .ssh files
> > > owned by another user(i.e. root), and don't give the end-user's write
> > > privileges.
> >
> > This is not sufficient.  If the user has write permission to their
> > .ssh directory, they can delete the files in it, and then replace them
> > with their own.  If the user has write access to their home directory,
> > the same applies to the entire .ssh directory.
>
> General speaking, if you set the sticky bit (chmod +t) on a directory, only
> the owner of a writable file in that directory or the owner of the
> directory can delete the writable file.  This protects application files
> that have to be writable by everyone but only one user should be able to
> delete the files.

Sure, but the owner of the directory can unset the sticky bit!

In order for this to work, the user's home directory must be owned by
root, as must the .ssh directory and all the files in it.  The user
would need to be granted write access somehow, perhaps via group
permissions.  This may not be feasible in many environments, i.e.
because users may need to share /some/ files in their home
directories, without providing everyone in their group access to all
their files.

Depending on what the OP was trying to do (I've lost track now), a
better solution might be to use rssh:

  http://www.pizzashack.org/rssh

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

pgph8TIxFuXsV.pgp
Description: PGP signature