Mail Archives: cygwin/2006/04/08/13:26:06
I think I found part of the problem...
I found the source for "id" which calls either "getgroups()" or
"getugroups()" depending upon the usage (if passed without or with a
specific username, respectively). getugroups() is the one with the
problem. It uses setgrent() / getgrent() / endgrent(), and the list of
groups returned from getgrent() is always coming back empty.
All I can find for these last functions are the header declarations - no
source. It's looking like a problem with the implementation of getgrent().
How can I track this down further, or otherwise go about getting this fixed?
> From: Igor Peshansky <pechtcha <at> cs.nyu.edu>
> Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary groups?
> Newsgroups: gmane.os.cygwin
> Date: 2006-03-01 16:55:50 GMT (5 weeks, 3 days and 19 minutes ago)
>
> On Tue, 28 Feb 2006, Mark A. Ziesemer wrote:
>
>> "Igor Peshansky" <pechtcha <at> XX.XXX.XXX> wrote:
>
> <http://cygwin.com/acronyms/#PCYMTNQREAIYR>. Thanks.
>
>> > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
>> >
>> >> I, too, am trying to lock down ssh access. Using OpenSSH's
>> >> AllowGroups configuration option looks like it would fit my needs
>> >> perfectly, but it doesn't work! More specifically, it ends up
>> >> denying all users, unless the user's PRIMARY group (as defined in
>> >> /etc/passwd) is within AllowGroups.
>> >>
>> >> I already found and read the following related posts, none of which
>> >> actually resolve the issue:
>> >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
>> >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
>> >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local
>> >> groups" started 12/31/2005)
>> >>
>> >> Using AllowUsers works as expected - but this is an administrative
>> >> nightmare. Ideally, I'd like to create a group called "SshUsers" and
>> >> set "AllowGroups SshUsers". This works, but only if I set the needed
>> >> user accounts in /etc/passwd to use this as their primary group.
>> >> Some users need their primary group to remain otherwise for other
>> >> reasons...
>> >>
>> >> I'm guessing this is more of an issue with the Cygwin user commands
>> >> than it is with the OpenSSH implementation. I DID run both mkpasswd
>> >> and mkgroup, and both my /etc/passwd and /etc/group files are
>> >> populated. However, running "groups myuser" or "id -Gn myuser"
>> >> returns only the primary group - "Domain Users". The results are
>> >> identical whether running bash locally or through an ssh connection.
>> >>
>> >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
>> >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
>> >> 1.5.18, etc...
>> >>
>> >> Any assistance would be greatly appreciated - thanks!
>> >
>> > Let's start here:
>> >
>> >> Problem reports: http://cygwin.com/problems.html
>> >
>> > In particular, for the group to be recognized by Cygwin, it needs to
>> > be in /etc/group. I would guess that you're trying to set up a domain
>> > group... You didn't say exactly what mkgroup options you used to
>> > update /etc/group, so it may simply be that you're missing the
>> > necessary groups there (and thus Cygwin is unable to determine group
>> > membership). But a proper problem report based on the above
>> > guidelines (one that includes an attached output of "cygcheck -svr" on
>> > your system) would allow us to track this down further.
>>
>> Requested cygcheck attached, along with my sshd_config, group, and
>> passwd files. (Files are from reproducing the issue on another box for
>> privacy concerns, which explains why the Cygwin version is slightly
>> different from my original post.) In this example, all accounts are
>> local, with no domain involved.
>>
>> Additionally, the following is logged to my Application Event Log:
>>
>> Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ...
>> The following information is part of the event: sshd: PID 1504: User
>> MyUser from TestBox not allowed because none of user's groups are listed
>> in AllowGroups.
>
> Ah, ok, so it's not a permissions issue.
>
>> I do believe I misunderstood how the "groups" and "id" commands were
>> working. I see that running "groups" without the username displays all
>> groups for the current user (not all groups on the system), where "group
>> MyUser" displays only the primary group. Some test output:
>>
>> MyUser <at> winxpsp2base ~
>> $ groups
>> None root Administrators Users SshUsers
>>
>> MyUser <at> winxpsp2base ~
>> $ id
>> uid=1004(MyUser) gid=513(None)
>> groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers)
>>
>> MyUser <at> winxpsp2base ~
>> $ groups MyUser
>> MyUser : None
>>
>> MyUser <at> winxpsp2base ~
>> $ id -Gn MyUser
>> None
>
> Not surprising, as "groups" essentially calls "id -Gn".
>
>> I'm guessing the OpenSSH sshd service must run some form of the later
>> pair, which returns only the primary group, and not all associated
>> Windows groups...
>
> This may be true (i.e., groups aren't listed properly)... If you want to
> strip down sshd code to just the piece that queries for the groups, run
> that on Linux and Cygwin and demonstrate inconsistent results, I'm sure
> Corinna would be interested in such a testcase.
Running these commands under a real distro returns all groups as
expected, so Cygwin is definitely behaving differently...
> Igor
> --
> http://cs.nyu.edu/~pechtcha/
> |\ _,,,---,,_ pechtcha <at> cs.nyu.edu | igor <at> watson.ibm.com
> ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
> |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
> '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
>
> "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
> "But no -- you are no fool; you call yourself a fool, there's proof enough in
> that!" -- Rostand, "Cyrano de Bergerac"
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -