OpenSSH & files security

To sync files or export data between servers, I usually use rsync on top of ssh. With public/private key pairs, you can easily automate the jobs via a cron without password issues. I also create a dedicated user who has only the required privileges to run rsync on the destination.

Today, I got the following error while testing a key pair:

diabolo sshd[4545]: Authentication refused: realpath /var/www/user/.ssh/authorized_keys2:
Permission denied.

Damn! All permissions seemed correct, ‘user’ was able to access all the files. So, I browsed the OpenSSH 4.3 sources tree and found the following function:

int secure_filename(FILE *f, const char *file, struct passwd *pw, char *err, size_t errlen)

The function description was:

* Check a given file for security. This is defined as all components
* of the path to the file must be owned by either the owner of
* of the file or root and no directories must be group or world writable.
* XXX Should any specific check be done for sym links ?
* Takes an open file descriptor, the file name, a uid and and
* error buffer plus max size as arguments.
* Returns 0 on success and -1 on failure

In my case, /var/www was protected by a mask of 751 (rwxr-x–x) preventing secure_filename() to read the ‘user’ directory entry… Grrrrr! One hour lost!