Creating a new user breaking existing permissions

In the openssh-7.6p1 source code file readconf.c we can see that the permission checking is delegated to a function secure_permissions:

if (flags & SSHCONF_CHECKPERM) {
        struct stat sb;

        if (fstat(fileno(f), &sb) == -1)
                fatal("fstat %s: %s", filename, strerror(errno));
        if (!secure_permissions(&sb, getuid()))
                fatal("Bad owner or permissions on %s", filename);

This function is in misc.c and we can see that it indeed explicitly enforces one member per group if the file is group-writeable:

secure_permissions(struct stat *st, uid_t uid)
        if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
                return 0;
        if ((st->st_mode & 002) != 0)
                return 0;
        if ((st->st_mode & 020) != 0) {
                /* If the file is group-writable, the group in question must
                 * have exactly one member, namely the file's owner.
                 * (Zero-member groups are typically used by setgid
                 * binaries, and are unlikely to be suitable.)
                struct passwd *pw;
                struct group *gr;
                int members = 0;

                gr = getgrgid(st->st_gid);
                if (!gr)
                        return 0;

                /* Check primary group memberships. */
                while ((pw = getpwent()) != NULL) {
                        if (pw->pw_gid == gr->gr_gid) {
                                if (pw->pw_uid != uid)
                                        return 0;

                pw = getpwuid(st->st_uid);
                if (!pw)
                        return 0;

                /* Check supplementary group memberships. */
                if (gr->gr_mem[0]) {
                        if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
                                return 0;

                if (!members)
                        return 0;
        return 1;

This is related to ssh. Ssh requires the file ~/.ssh/config to be readable only by the user it affects and noone else. File-permission of 664 or 644 is default on most systems (rw-rw-r-- or rw-r--r--). You can control this by setting a umask.

git clone is using ssh to clone the repository, maybe it's using some ssh-stuff on init even when the clone is done from http(s).


  • (section “Files”)