linuxserver
SSH Permission Changes
- [x] I have read the contributing guideline and understand that I have made the correct modifications
Description:
This PR changes how code-server manages files in the /config/.ssh directory on startup. Three scoped find commands replace the existing chown and enforces the correct file permission for directories, private keys, and public keys that may be present.
Benefits of this PR and context:
The .ssh can have other files in that directory which the current. Although it addresses unsafe permissions and satisfies the client, the current behavior over corrects what those permissions should be and potentially disrupt how that directory is organized.
How Has This Been Tested?
A nod to the recommendation to NOT mount into an existing mount path but for testing purposes...
mkdir -p temp-ssh/hi
touch temp-ssh/{hello,key.pub}
chmod 777 temp-ssh/*
ls -alth temp-ssh
# this will need to be stopped after it completes its startup
docker run --rm -v "$PWD/temp-ssh:/config/.ssh" -e "PUID=$(id -u)" -e "PGID=$(id -g)" lscr.io/linuxserver/code-server:latest
ls -alth temp-ssh
Subdirectories should remain user at least 700, public keys should have 644 permissions, and private keys 600.
Source / References:
- https://docs.ssh.com/manuals/client-user/62/userauth-pk.html
- https://docs.oracle.com/en/operating-systems/oracle-linux/openssh/openssh-ConfigureOpenSSHClient.html#validate-config-permissions
I am a bot, here are the test results for this PR: https://ci-tests.linuxserver.io/lspipepr/code-server/4.92.2-pkg-be24e528-dev-c0aa0f7fc4f823a51eedd6e89ed462aadf915066-pr-185/index.html https://ci-tests.linuxserver.io/lspipepr/code-server/4.92.2-pkg-be24e528-dev-c0aa0f7fc4f823a51eedd6e89ed462aadf915066-pr-185/shellcheck-result.xml
| Tag | Passed |
|---|---|
| amd64-4.92.2-pkg-be24e528-dev-c0aa0f7fc4f823a51eedd6e89ed462aadf915066-pr-185 | ✅ |
| arm64v8-4.92.2-pkg-be24e528-dev-c0aa0f7fc4f823a51eedd6e89ed462aadf915066-pr-185 | ✅ |
I am a bot, here are the test results for this PR: https://ci-tests.linuxserver.io/lspipepr/code-server/4.92.2-pkg-978f6c7a-dev-60b285ea654ef13d427fe32f7a2d901ab3b9e7b7-pr-185/index.html https://ci-tests.linuxserver.io/lspipepr/code-server/4.92.2-pkg-978f6c7a-dev-60b285ea654ef13d427fe32f7a2d901ab3b9e7b7-pr-185/shellcheck-result.xml
| Tag | Passed |
|---|---|
| amd64-4.92.2-pkg-978f6c7a-dev-60b285ea654ef13d427fe32f7a2d901ab3b9e7b7-pr-185 | ✅ |
| arm64v8-4.92.2-pkg-978f6c7a-dev-60b285ea654ef13d427fe32f7a2d901ab3b9e7b7-pr-185 | ✅ |
I am a bot, here are the test results for this PR: https://ci-tests.linuxserver.io/lspipepr/code-server/4.93.1-pkg-3d426902-dev-35f551fad7483df777ad0fca51b0abc070bd90d7-pr-185/index.html https://ci-tests.linuxserver.io/lspipepr/code-server/4.93.1-pkg-3d426902-dev-35f551fad7483df777ad0fca51b0abc070bd90d7-pr-185/shellcheck-result.xml
| Tag | Passed |
|---|---|
| amd64-4.93.1-pkg-3d426902-dev-35f551fad7483df777ad0fca51b0abc070bd90d7-pr-185 | ✅ |
| arm64v8-4.93.1-pkg-3d426902-dev-35f551fad7483df777ad0fca51b0abc070bd90d7-pr-185 | ✅ |
PR looks excellent, thanks @markagonzales - just run into this issue myself and I'm currently working around it with custom-cont-init.d, but it'd be good to get this into a better state.
@aptalca or @thespad (probably?) - could you review this? :D
Thanks!
I am a bot, here are the test results for this PR: https://ci-tests.linuxserver.io/lspipepr/code-server/4.93.1-pkg-3d426902-dev-d95bcfcc582e8b71c6a0c5790b9fc500d17d7a07-pr-185/index.html https://ci-tests.linuxserver.io/lspipepr/code-server/4.93.1-pkg-3d426902-dev-d95bcfcc582e8b71c6a0c5790b9fc500d17d7a07-pr-185/shellcheck-result.xml
| Tag | Passed |
|---|---|
| amd64-4.93.1-pkg-3d426902-dev-d95bcfcc582e8b71c6a0c5790b9fc500d17d7a07-pr-185 | ✅ |
| arm64v8-4.93.1-pkg-3d426902-dev-d95bcfcc582e8b71c6a0c5790b9fc500d17d7a07-pr-185 | ✅ |