git: 07d17ca189fc - main - nuageinit: Set recommended SSH permissions

From: Baptiste Daroussin <bapt_at_FreeBSD.org>
Date: Tue, 23 Jul 2024 13:04:18 UTC
The branch main has been updated by bapt:

URL: https://cgit.FreeBSD.org/src/commit/?id=07d17ca189fcf3cc44b7706040b05ca8135c3b85

commit 07d17ca189fcf3cc44b7706040b05ca8135c3b85
Author:     Jose Luis Duran <jlduran@gmail.com>
AuthorDate: 2024-07-23 08:59:09 +0000
Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2024-07-23 13:02:28 +0000

    nuageinit: Set recommended SSH permissions
    
    As stated in sshd(8), the recommended permissions for ~/.ssh are
    read/write/execute for the user, and not accessible by others; and the
    recommended permissions for ~/.ssh/authorized_keys are read/write for
    the user, and not accessible by others.
---
 libexec/nuageinit/nuage.lua      | 2 ++
 libexec/nuageinit/tests/nuage.sh | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
index 81fb40c0d8eb..10451dc0bdc4 100644
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -205,9 +205,11 @@ local function addsshkey(homedir, key)
 	f:write(key .. "\n")
 	f:close()
 	if chownak then
+		os.execute("chmod 0600 " .. ak_path)
 		pu.chown(ak_path, dirattrs.uid, dirattrs.gid)
 	end
 	if chowndotssh then
+		os.execute("chmod 0700 " .. dotssh_path)
 		pu.chown(dotssh_path, dirattrs.uid, dirattrs.gid)
 	end
 end
diff --git a/libexec/nuageinit/tests/nuage.sh b/libexec/nuageinit/tests/nuage.sh
index bbf306eae51f..531c171a3271 100644
--- a/libexec/nuageinit/tests/nuage.sh
+++ b/libexec/nuageinit/tests/nuage.sh
@@ -17,6 +17,8 @@ addsshkey_body() {
 	if [ ! -f .ssh/authorized_keys ]; then
 		atf_fail "ssh key not added"
 	fi
+	atf_check -o inline:".ssh: 040700 [drwx------ ] -> 040700 [drwx------ ]\n" chmod -vv 0700 .ssh
+	atf_check -o inline:".ssh/authorized_keys: 0100600 [-rw------- ] -> 0100600 [-rw------- ]\n" chmod -vv 0600 .ssh/authorized_keys
 	atf_check -o inline:"mykey\n" cat .ssh/authorized_keys
 	atf_check /usr/libexec/flua $(atf_get_srcdir)/addsshkey.lua
 	atf_check -o inline:"mykey\nmykey\n" cat .ssh/authorized_keys