Mail Archives: cygwin/2015/04/02/22:57:22

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/04/02/22:57:22

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; q=dns; s=default; b=fo

SvwZqSdi6H110ebBkH0ubNErhRWfXhIeZK6qeWCx7RhvqfLzQ87bNfK/JQCrErBk

V55bD5zvglq5JbiQz1nuC4e7d20D3jSHEI9ITIb23pVW+1WouiLOM7l7+CS1TO4S

nX+wJRuAntVppm8puUAEBL+0JncRlEA6XxPPBeNNI=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; s=default; bh=Q3bxHJGb

fsbDpSvxUqxuTRD2Wc4=; b=rIKecASBcsIYlpDPkjxusStiF7oi9/w5zgLpm9Xg

vl+lNlyTsL3HkE6eBmw8IsHDn6KF20EnHHiZKd3rfkupBVcALCtX7o9lSoxpFs2f

4KUhhEgquLvIgbk6T45tC98y2xxqQ9QPC/k4kCSM7XtsAWG54pushL/LLFe/BmCi

Q2w=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=1.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2

X-HELO: mail-la0-f46.google.com

MIME-Version: 1.0

X-Received: by 10.112.225.43 with SMTP id rh11mr311785lbc.90.1428029783804; Thu, 02 Apr 2015 19:56:23 -0700 (PDT)

In-Reply-To: <CADi7v6+te0gAh-knHwRnBz_O6i8FJAFc_AJ5=hfutW6u7y4wJg@mail.gmail.com>

References: <CADi7v6K6Xbz3JYB-=JC23YMCEHzhmV3sSOAtcE73ydTecbcR-Q AT mail DOT gmail DOT com> <152755247 DOT 20150401232333 AT yandex DOT ru> <CADi7v6L0LyBSMRHWpWkcRPv-9=mZQLMTOPcyLO_k8kujV=ypTQ AT mail DOT gmail DOT com> <402200952 DOT 20150402043205 AT yandex DOT ru> <CADi7v6+T7Wg=JncC2K-SWANkG6xKL+Z0Y+4azRLs1S8s-YXwdw AT mail DOT gmail DOT com> <1876247786 DOT 20150402183153 AT yandex DOT ru> <CADi7v6+xL4GPSCkQixXgyDBM2N7RNJmNLRgqyQrmVQqeJRERbQ AT mail DOT gmail DOT com> <87twwyxtin DOT fsf AT Rainer DOT invalid> <CADi7v6+te0gAh-knHwRnBz_O6i8FJAFc_AJ5=hfutW6u7y4wJg AT mail DOT gmail DOT com>

Date: Thu, 2 Apr 2015 22:56:23 -0400

Message-ID: <CADi7v6+Z9ZTchPQwS9j9KowD6wJe139K6DjLPLETH0Fk+4gR0Q@mail.gmail.com>

Subject: Re: File Permissions - Yet Another Question / Clarification

From: Bryan Berns <bryan DOT berns AT gmail DOT com>

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

Replying to myself on this topic in case anyone else is interested.

> 2) how can I get SSH to believe the two "admin" groups on my
> files are acceptable.  I'm not optimistic I'm going to get SSH to
> change it's behavior so I may need to recompile it to avoid the
> check.... which is obviously not desirable from a maintainability
> standpoint.

The applicable check at work here is check_ntsec() and the several
lines after within authfile.c in the openssh package.  I confirmed
there is no elegant way to avoid or externally augment these checks as
it's currently programmed without patching and recompiling (or using
something like Microsoft Detours to fake out the external call to
pathconf() which is called by check_ntsec() -- very ugly).

I completely agree with the general guidance that these are important
checks as it prevents the user from accidentally exposing their
private keys.  In our environment, the check is returning a false
positive given our home directory permissions are tightly controlled
(immutable by end users, in fact) and some cross-domain administrative
groups are used to delegate control of the directories to certain
authorized personnel. Eliminating these groups from the DACL and
granting these personnel Backup/Restore rights on the entire filer
(hundreds of terabytes) is not a secure solution for us.  I'm guessing
others in a large corporate environment may find themselves in a
similar scenario.

I was able to modify the check to work for our scenario and recompile.
Obviously this isn't the ideal solution, but it looks like it's our
only path forward.

I still have to figure out why file ownership isn't recorded properly
--- if I figure that out, I'll let everyone know as well.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=fo
	SvwZqSdi6H110ebBkH0ubNErhRWfXhIeZK6qeWCx7RhvqfLzQ87bNfK/JQCrErBk
	V55bD5zvglq5JbiQz1nuC4e7d20D3jSHEI9ITIb23pVW+1WouiLOM7l7+CS1TO4S
	nX+wJRuAntVppm8puUAEBL+0JncRlEA6XxPPBeNNI=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; s=default; bh=Q3bxHJGb
	fsbDpSvxUqxuTRD2Wc4=; b=rIKecASBcsIYlpDPkjxusStiF7oi9/w5zgLpm9Xg
	vl+lNlyTsL3HkE6eBmw8IsHDn6KF20EnHHiZKd3rfkupBVcALCtX7o9lSoxpFs2f
	4KUhhEgquLvIgbk6T45tC98y2xxqQ9QPC/k4kCSM7XtsAWG54pushL/LLFe/BmCi
	Q2w=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=1.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2
X-HELO:	mail-la0-f46.google.com
MIME-Version:	1.0
X-Received:	by 10.112.225.43 with SMTP id rh11mr311785lbc.90.1428029783804; Thu, 02 Apr 2015 19:56:23 -0700 (PDT)
In-Reply-To:	<CADi7v6+te0gAh-knHwRnBz_O6i8FJAFc_AJ5=hfutW6u7y4wJg@mail.gmail.com>
References:	<CADi7v6K6Xbz3JYB-=JC23YMCEHzhmV3sSOAtcE73ydTecbcR-Q AT mail DOT gmail DOT com> <152755247 DOT 20150401232333 AT yandex DOT ru> <CADi7v6L0LyBSMRHWpWkcRPv-9=mZQLMTOPcyLO_k8kujV=ypTQ AT mail DOT gmail DOT com> <402200952 DOT 20150402043205 AT yandex DOT ru> <CADi7v6+T7Wg=JncC2K-SWANkG6xKL+Z0Y+4azRLs1S8s-YXwdw AT mail DOT gmail DOT com> <1876247786 DOT 20150402183153 AT yandex DOT ru> <CADi7v6+xL4GPSCkQixXgyDBM2N7RNJmNLRgqyQrmVQqeJRERbQ AT mail DOT gmail DOT com> <87twwyxtin DOT fsf AT Rainer DOT invalid> <CADi7v6+te0gAh-knHwRnBz_O6i8FJAFc_AJ5=hfutW6u7y4wJg AT mail DOT gmail DOT com>
Date:	Thu, 2 Apr 2015 22:56:23 -0400
Message-ID:	<CADi7v6+Z9ZTchPQwS9j9KowD6wJe139K6DjLPLETH0Fk+4gR0Q@mail.gmail.com>
Subject:	Re: File Permissions - Yet Another Question / Clarification
From:	Bryan Berns <bryan DOT berns AT gmail DOT com>
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes