From 3d128567bac3c70df8f350cde6e4108a60628775 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 21 Nov 2024 11:46:01 -0500
Subject: [PATCH] make ssh_authorized_key world-readable when deployed as root

This is a rather bold and naive move to fix #92. It makes all
authorized_keys generated by this module to be readonly when generated
by root, so that Puppet can be used to deploy authorized_keys files
that are not writable by the user, yet still usable for
authentication.

This is necessary because OpenSSH drops privileges before parsing
authorized_keys. If a file is owned by root and mode `0600` (as right
now), authentication fails.

We keep the old `0600` mode for files managed by the user. For those,
there's nothing we can do anyways: if the user owns the file, they can
change the mode and rewrite the file anyways.

A proper solution would probably be to hook into a File resource there
that could be overriden properly.

Fundamentally, the problem here is that we are managing multiple
resources that hit the same actual file on disk: ideally, we'd have a
mode parameter to the resource here, but then we could get into
conflicts if multiple invocations of ssh_authorized_key use different
mode parameters.

Closes: #92
---
 lib/puppet/provider/ssh_authorized_key/parsed.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/puppet/provider/ssh_authorized_key/parsed.rb b/lib/puppet/provider/ssh_authorized_key/parsed.rb
index b10066e..f18987b 100644
--- a/lib/puppet/provider/ssh_authorized_key/parsed.rb
+++ b/lib/puppet/provider/ssh_authorized_key/parsed.rb
@@ -38,7 +38,11 @@ def dir_perm
     0o700
   end
 
-  def file_perm
+  def file_perm_readonly
+    0o444
+  end
+
+  def file_perm_writable
     0o600
   end
 
@@ -84,7 +88,7 @@ def flush
         end
         super
 
-        File.chmod(file_perm, target)
+        File.chmod(file_perm_writable, target)
       end
     # to avoid race conditions when handling permissions as a privileged user
     # (CVE-2011-3870) we use the trusted_path method to ensure the entire
@@ -97,7 +101,7 @@ def flush
       gid = Puppet::Util.gid(@resource.should(:user))
       File.open(target) do |target|
         target.chown(uid, gid)
-        target.chmod(file_perm)
+        target.chmod(file_perm_readonly)
       end
     end
   end