Mail Archives: cygwin/2005/10/31/03:52:46
The following message contains my findings regarding a working setup of
Cygwin of sshd for non-administrators -- a topic I would like to see
addressed in the official documentation, since no other source was found
(at least via Google) with conclusive information on the subject:
INTRODUCTION
Two often cited pages with guides for setting up sshd on Win32:
http://pigtail.net/LRP/printsrv/cygwin-sshd.html
http://ncyoung.com/entry/389
mention it to be necessary to make every user who wishes to gain access
via ssh/sftp a member of the Administrators group (!).
I did not find this subject covered in the Cygwin documentation, but it
seems urgent that this *is* covered by the documentation. Making all
users who access a W2K or WXP system member of the Administrators group
poses a security risk.
ANALYSIS
Users gain access to the Cygwin system via ssh/sftp as themselves with
the rights that were assigned to them in Win32 and in NTFS. Therefore
any problems that may occur are a result of either insufficient
permissions to access a file or folder or a result of not being the
owner of a folder that belongs to them.
After reinstalling cygwin several times and trial & error with changing
file and folder permissions and ownership I indeed found it that users
who are not member of the Administrators group can gain access via
ssh/sftp. However, this requires tweaking of the permissions and
ownership from a cygwin shell:
SOLUTION
1) user X must have a /home/X folder which they are owner of and with
rwx permissions for themselves.
$ ls -l /home
total 0
drwx------+ 3 Administrator None 0 Oct 30 18:35 Administrator
drwx------+ 2 X None 0 Oct 30 18:40 X
2) users must have access to the passwd, group, profile and profile.d
file and folders in /etc. In fact I ended up giving full access rights
to users to all files and folders in /etc except the ssh* key and config
files
$ ls -l etc
total 204
...
-rwxrwxr-x+ 1 Administrator Users 14 Oct 28 18:41 ftpusers
-rwxrwxr-x+ 1 Administrator Users 49 Oct 28 18:41 ftpwelcome
...
-rwxrwx---+ 1 Administrator Users 1692 Oct 29 18:39 group
-rwxrwx---+ 1 Administrator Users 1385 Oct 29 18:38 passwd
...
-rwxrwx---+ 1 Administrator Users 6530 Oct 28 18:41 profile
drwxrwx---+ 2 Administrator Users 0 Oct 28 18:39 profile.d
...
3) Users need full access rights to execute the .exe files in /bin,
/usr/bin and /usr/sbin (it seems to me now that chmod 770 would have
been sufficient):
$ ls -l /usr/sbin/
total 897
...
-rwxrwxrwx+ 1 Administrator Users 46592 Apr 19 2005 in.ftpd.exe
...
-rwxrwxrwx+ 1 Administrator Users 29184 Jul 5 23:30 sftp-server.exe
-rwxrwxrwx+ 1 Administrator Users 130048 Jul 5 23:30 ssh-keysign.exe
-rwxrwxrwx+ 1 Administrator Users 267776 Jul 5 23:30 sshd.exe
POST SCRIPTUM
Please review the information under 1-3 and if this is useful I would
welcome the maintainers of cygwin to include something along these lines
in the documentation. Hopefully this saves some time for others who
apparently were looking for the same.
with best regards
Theo
--
Ericsson Research, Service Layer Technologies
KI/EAB/TGB,SE-164 80 Kista, Sweden
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -