| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=QeLz+1yliKoNm2n6r+x6YN8/8BhDeiMOpEAzFN167FHCMLaHXIo5W | |
| vPOF5nbYmG28CCwVLPULK0YFKevT8HOC2qCfD/7XBMKsHg1EFqM7WJ49HIIZi3ES | |
| klOzBgET0IepmxFQUA3UKGk3p46Pqeau+u1Hg86hncAKjWRCXRo3IQ= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=iHnEEXHWn15OU6rs6xUytk7ksjM=; b=sH7Mp+E663y6Y8ZuWTBTajSgb/uF | |
| 4GDUMJuRntUBnz8fxoG28tyGTRQUa5GBPTqeiNfZbWmdFs9Epd1Wk36aUh3EY/py | |
| 5hx76ECdtMCmB4zcQ29/x6jjrMqvxiZG4bL8QuNnFgpogEC9W9ufyYpZf5QT4ATy | |
| h5pgswIQOdaB8g4= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Mon, 15 Dec 2014 12:35:42 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: TEST RELEASE: Cygwin 1.7.34-002 |
| Message-ID: | <20141215113542.GE11307@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <20141206194943 DOT GD3810 AT calimero DOT vinschen DOT de> <CAMKht8iYnRuAJ7Eau6LDa_Jszxwo8YwybzwZNHjzWXLMUS8Y-w AT mail DOT gmail DOT com> <548AFD43 DOT 1040306 AT cornell DOT edu> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <548AFD43.1040306@cornell.edu> |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--maH1Gajj2nflutpK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Dec 12 09:35, Ken Brown wrote: > On 12/12/2014 8:49 AM, Michael DePaulo wrote: > >On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen > ><corinna-cygwin AT cygwin DOT com> wrote: > >>I finally released another TEST version of the next upcoming Cygwin > >>release. The version number is 1.7.34-002. > > > >I *think* I am experiencing a very bad regression. > > > >These are the Windows permissions on my ~/.ssh/id_rsa file: > >C:\cygwin\home\mike\.ssh>icacls id_rsa > >id_rsa NT AUTHORITY\SYSTEM:(F) > > DEPAULO\mike:(R,W,D,WDAC,WO) > >[...] > >$ uname -a > >CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cyg= win > > > >mike AT executor ~ > >$ ssh galactica > >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > >@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > >Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open. > >It is recommended that your private key files are NOT accessible by othe= rs. > >This private key will be ignored. > >key_load_private_type: bad permissions > >[...] > >mike AT executor ~/.ssh > >$ ls -latr id_rsa > >-rw-rwx---+ 1 mike Domain Users 1743 Dec 7 2013 id_rsa >=20 > This isn't a regression. It's a deliberate change, so that Cygwin now ta= kes > ACLs into account when calculating permissions. The simplest fix is to u= se > the new feature of setfacl to remove the unwanted permissions. From the > release announcement: >=20 > >- Add -b/--remove-all option to setfacl to reduce the ACL to only the > > entries representing POSIX permission bits. >=20 > Ken What he says. Here are the important snippets from the POSIX ACL Linux man page (for instance http://linux.die.net/man/5/acl), which was never before implemented in Cygwin, but which is with the test release (and thus the upcoming release): An ACL that contains entries of ACL_USER or ACL_GROUP tag types must contain exactly one entry of the ACL_MASK tag type. Windows doesn't support MASK entries. But POSIX requires a MASK entry if a supplementary user or group has an ACL entry, thus Cygwin emulates the entry. The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.=20 So the emulated MASK entry is the or'ed mask of all permissions granted to the primary group and all supplementary users and groups. There is a correspondence between the file owner, group, and other permissions and specific ACL entries: [...] If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. So, the group permissions don't simply reflect the permissions of the primary group, but the sum of permissions of the primary group and all supplementary users and groups in the ACL. It's unfortunate that this may break more installations, but it's also a security improvment. The group permissions reflect the fact that the permissions granted to your ssh key are too open. Fortunately the new -b option to setfacl allows a quick fix. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --maH1Gajj2nflutpK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUjseOAAoJEPU2Bp2uRE+gG4kP/2l6SMjvZYAztZ8NRAEzqzlv 3N9sKlvapVieY0UbZKYbdiSgjRlPN2GrJoXwluxqQelOGnyUGyJ7aYOoRtlg/SZf Sc7wn8hHVOX4nv7My+HfJ3tyJLc7Y97+yssyAW7h/Uoq0VncDafAZjNnBY99H8Bt bJ9XbCfcfmDvCW4ZOzpDRXp7bYIuQ+BZoum1+DlNCS6GIpUyTqejwOcqGkf5QZAR zTyKRShISfidswTjRQQ/GWnH177s+alYc6A/B35f1QnRuYQlaYy0estTy0o1JqEe 9A9CGMsiEbCmnSUE1KR5dqgUdHjC3UhxFbvpL+Jytk5F74WvVlQUyyOY15NjqwxL M5Pb97v8Dwt+YU2rjR1B1VmyUjpXsTm0FzKo3zMZh2UMnxKuaxmrEPHd5LWjbNEb +A3EwhcYRgRa2UVfZjcShFQyslXHEMYqiKCqrsLg9yW9B0ieZSZqG9el2+n9eYty 2VzcIDlZOtwyrPvz5xybvzvhqe0VD48BB6n2r0616iqjJA2qkD7qpS7flJq9UuDc /8Yt2wr7t+kCcbkKy65OWvSWgH7pPWXPU0lwtxTQVCXMCqr4C9CGZeCkiQerrUtm QeYhyg1LCLEHO+DQNae5SyJQdMkriMkEpviLw91ZPpc9ouuBmW9KO5sJOzz4kKEb SDaFp0/vQFaJ/ffaGc1T =VB5m -----END PGP SIGNATURE----- --maH1Gajj2nflutpK--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |