Bug 1260778

In the email conversation we had I thought you meant .ssh was
public writable.

I'm dubious about whether this is really a bug.  On my laptop:

$ ls -ld .ssh
drwxr-xr-x. 2 rjones rjones 4096 Sep  3 17:08 .ssh
$ ls -l .ssh/authorized_keys
-rw-r--r--. 1 rjones rjones 4852 Apr  1 22:16 .ssh/authorized_keys

and I've never imagined that to be a security problem.  These
keys are public keys after all.

For root it's more arguable, although in most cases /root itself
will be unreadable by non-root users so it wouldn't make any difference.

The relevant code is:

https://github.com/libguestfs/libguestfs/blob/master/customize/ssh_key.ml#L118-L130

When the ssh-copy-id command creates ~/.ssh and ~/.ssh/authorized_keys it sets the perms to 0700 and 0600, respectively.

That said, in my email correspondence, I was wrong to suggest that --ssh-inject was failing for me because of this. Turns out it was a quirk of my current setup with ssh-agent and too many keys.

I still think it would be a good idea to set the same perms that ssh-copy-id does, but not that big of a deal I guess.

I looked at ssh-copy-id and ssh and both are creating ~/.ssh with
mode 0700, so that looks like the right thing to do.

Patch posted:
https://www.redhat.com/archives/libguestfs/2015-September/msg00021.html

Upstream fix:
5ed4388ecd5fdb7639622ee4fba317c276547257

Available in libguestfs >= 1.31.5 & >= 1.30.2 (forthcoming).

libguestfs-1.30.2-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15401

libguestfs-1.30.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15420

libguestfs-1.30.2-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update libguestfs'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15401

libguestfs-1.30.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update libguestfs'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15420

libguestfs-1.30.3-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-cdd7fcfc3c

libguestfs-1.30.3-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update libguestfs'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-cdd7fcfc3c

libguestfs-1.30.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

libguestfs-1.30.4-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f7b0c57297

libguestfs-1.30.4-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update libguestfs'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f7b0c57297

libguestfs-1.30.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.