gl-setup and unusable ~/.ssh/authorized_keys permissions

[Blair Zajac]

There's an issue with Fedora 15's packaging where the gitolite user's umask of 0002 causes gl-setup to create ~gitolite/.ssh/authorized_keys with 0664 permissions, which the ssh server then ignores, preventing logins.

The RPM package creates a system account with

$ useradd -r -g %{name} -d %{gitolite_homedir} -s /bin/sh -c "git repository hosting" %{name}

and Fedora 15's /etc/profile has this code:

# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi

On my Fedora 15 system, gitolite has uid=493 and gid=490, so the umask is 002.

It appears that Fedora's packaging is making a valid decision to treat gitolite as a system account, so should gitolite change its umask before updating ~gitolite/.ssh/authorized_keys?

Blair

[Sitaram Chamarty]

On Fri, Aug 5, 2011 at 1:20 AM, Blair Zajac <bl...@orcaware.com> wrote:
> There's an issue with Fedora 15's packaging where the gitolite user's umask of 0002 causes gl-setup to create ~gitolite/.ssh/authorized_keys with 0664 permissions, which the ssh server then ignores, preventing logins.

This was fixed upstream about 2 months ago; see c7d9529. I haven't
tagged a new revision since then -- maybe I should do that. I'll do
something this weekend, then send an email to the Fedora packager.

regards

sitaram