Mail Archives: cygwin/2006/02/23/18:35:49
Igor Peshansky wrote:
> On Thu, 23 Feb 2006, Tim Daneliuk wrote:
>
>
>>Igor Peshansky wrote:
>>
>>
>>>On Thu, 23 Feb 2006, Tim Daneliuk wrote:
>>>
>>
>><SNIP>
>>
>>>Same reason -- Cygwin isn't really ACL-aware. You can also restore
>>>the original ACLs by running something like "getfacl hosts.allow |
>>>setfacl -f - hosts.allow.orig" (assuming the owner stays the same).
>>>
>>>
>>>>-rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow
>>>>-rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig
>>>>-rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny
>>>
>>>These files should really be owned by SYSTEM (or whatever user sshd
>>>runs as).
>>
>>Ahh - that was the hint I needed. But here is something very strange:
>>
>>As installed, hosts.allow is owned by the installing user - in this
>>case, "tundra" who is also an Administrator on the system.
>
>
> As installed by what? I couldn't find anything that generates that file.
>
I'm not sure. I did a *complete* install of cygwin. I dunno if it was
installed then, or when I ran ssh-host-config ...
>>sshd properly recognizes the rule found in this file.
>
>
> That's because it simply checks that a) permissions are no more than 700,
> and b) that the file is readable. Both are satisfied, even though the
> owner is wrong.
>
>
>>HOWEVER, if I edit the file (to change allow rules), I *have* to chown
>>it to SYSTEM or ssh access outside localhost fails.
>
>
> Thank your editor which makes a copy. Once you make a copy, Cygwin only
> copies the POSIX permissions (which are 700), so that the file is no
> longer readable by SYSTEM. You can use the "getfacl | setfacl" trick to
> get the ACLs back.
>
Ah, OK that explains it...
>>Stranger still is that once the file is owned by SYSTEM, it cannot be
>>further edited because I get a "Permission Denied" on it with emacs or
>>vi - strange considering that I am an Administrator on the system.
>
>
> Why is this strange? Normally you are not supposed to see files that
> belong to other users (and SYSTEM *is* another user). You can grab the
> ownership of the file and edit it, or make it world readable/writable and
> edit it. Just don't forget to change it back to the way it was, or sshd
> will complain.
>
>
>>P.S. Did I mention that I hate the Windows security model ;)
>
>
> Most of the above is not really due to Windows -- it would happen on any
> system that has ACLs.
> Igor
Point taken.
(And thanks for your help ;)
--
----------------------------------------------------------------------------
Tim Daneliuk tundra AT tundraware DOT com
PGP Key: http://www.tundraware.com/PGP/
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -