From patchwork Sun May 30 10:33:31 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 4382
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FtFBl4FrCz3wc6
	for <patchwork@web04.haj.ipfire.org>; Sun, 30 May 2021 10:33:35 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4FtFBk32THz14v;
	Sun, 30 May 2021 10:33:34 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FtFBk1Sbxz2yl2;
	Sun, 30 May 2021 10:33:34 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FtFBj1j6Bz2xd6
 for <development@lists.ipfire.org>; Sun, 30 May 2021 10:33:33 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4FtFBh3BC7zyY
 for <development@lists.ipfire.org>; Sun, 30 May 2021 10:33:32 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1622370812;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=nf3QI8Rm97pK9v7X3jAygMkY5PZrlvSWm6honQl/zks=;
 b=hGjdR9IHyuaXkpO8t19ApkY/x1NQtd8D9+np44T+ZO43htWqBMtqraNcGEu8/HLvGvlXhF
 ulWBdw+u8I45SRCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1622370812;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=nf3QI8Rm97pK9v7X3jAygMkY5PZrlvSWm6honQl/zks=;
 b=RPrfJ06SlJ4y8W8PfnVGT0nBMaulPPBBvSGI46hVnHhS/tie7s+VtfhxQTaIKq0dO0cjGr
 LtPYG3iMfkmAmy/y1h4t8W94jhkMTNBNHaCQY1VnYnaLDiIkszXBWuYaBDigE2WWGVFHGH
 UOyKmo+cR8LNw50E9IMs32951iPfybkoCBwU8ji592iI8N6m39uMDxL2EpgjEBvcdlCC2g
 MeujqMFgKKFq4B4YZnkzqEm1hk3XxgVvLPg0o9TMvlDYpKj4MIK/ajfVp7zHSNYg3yn+BA
 maTr6Xdv0q4Zkm/nMHN62SKGERAzHbrw4Qo/Ffgl2P3ygjh1X2iiut40YZbEaA==
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] OpenSSH: restrict file permissions for sshd_config to 0600
Message-ID: <67fe68bc-5337-daa6-c150-1d0e334d309a@ipfire.org>
Date: Sun, 30 May 2021 12:33:31 +0200
MIME-Version: 1.0
Content-Language: en-US
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This file does not have to be readable by anybody else than the user
running an OpenSSH server. While it does not really contain confidential
information, exposing it to the rest of the world makes no sense either.

This will silence a Lynis warning. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/openssh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lfs/openssh b/lfs/openssh
index 3117e996c..ced1a7db9 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -84,7 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make install
 
 	# install custom OpenSSH server configuration
-	install -v -m 644 $(DIR_SRC)/config/ssh/sshd_config \
+	install -v -m 600 $(DIR_SRC)/config/ssh/sshd_config \
 		/etc/ssh/sshd_config
 
 	# install custom OpenSSH client configuration