delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2017/05/27/00:58:50

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:subject:references:to:from:message-id
:date:mime-version:in-reply-to:content-type
:content-transfer-encoding; q=dns; s=default; b=jWvlgpZheT88FtH/
USBkZwPolK7GnVbs2VcTCZnlYnwOxJv4z8nFrnKthrmcd06bW6T+SSnJQRko+ikP
3UBOVRvPyXM3wzDIuFyvBs8WrUripB9Ylx2Ux0SV0vmZD5hUqMq1/IGHNIW0tU1W
2i2XUmTTHlHhjutGKiu6d4dmDtw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:subject:references:to:from:message-id
:date:mime-version:in-reply-to:content-type
:content-transfer-encoding; s=default; bh=u9UBK9mdH2c5Y+DA/7/pZ8
Vf6/s=; b=t+Vva52ibYTuIkhiAxB65Q1+Ax+neLQGtddbsgjJzbfHcqJnWVo7jW
MVLrysh8GqiLnNiF+LqMpPUSmfBR0Rjd4Z8bn8x2Gyvb6Y735AbPT3Y93+uot4Fn
ssQ7/joItlFCrnsPC2p1SztDlEV8mwKKPsQKtqyiUKKy8vFePswL8=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=homes, SAM, comprehensive, userid
X-HELO: smtp-out-no.shaw.ca
X-Authority-Analysis: v=2.2 cv=a+JAzQaF c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=IfeSEywh06YWHtK3V3UA:9 a=6qCkASFwxmhN0JbL:21 a=QEXdDO2ut3YA:10
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: Problems with ssh-host-config and /var/run directory
References: <59272F87 DOT 9050300 AT faroul DOT de> <63db7c1b-bb96-c809-4a47-e727089d0c8a AT SystematicSw DOT ab DOT ca> <59289C75 DOT 2020307 AT faroul DOT de>
To: cygwin AT cygwin DOT com
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Message-ID: <e1d4234a-fc3c-57d8-e75e-c922969b63ec@SystematicSw.ab.ca>
Date: Fri, 26 May 2017 22:58:31 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <59289C75.2020307@faroul.de>
X-CMAE-Envelope: MS4wfJmCcn9c88XX61k485IqEiKW4WWLE6udPpblTAFKQlHMZyFpiEXFNkWHtbmPdkkUW7DE2fofxAHVKHwEL0yMulT3K0XI+rcF72naUqVJ+9nATsw7mppq wdYEagF3J0RsVwGkbiaTEEHzWs1CxlVMC/EMnvYjMZqkrgnhEr+4lVNyb0epmRaPwMgH2u91Y+dWpg==
X-IsSubscribed: yes 

On 2017-05-26 15:21, Henning Peters wrote:
> Am 25.05.17 23:36, schrieb Brian Inglis:
>> On 2017-05-25 13:24, Henning Peters wrote:
>>> I switched from 32bit to 64 bis a week ago, moved "cygwin" to "cygwin32" and
>>> reinstalled from scratch into a new "cygwin" directory.
>>> when trying to setup sshd using ssh-host-config, I get this message when
>>> using StrictModes (which I want to and did before on cygwin32 on this system):
>>> *** Warning: The owner and the Administrators need
>>> *** Warning: to have .w. permission to /var/run.
>>> *** Warning: Here are the current permissions and ACLS:
>>> *** Warning:     drwxrwxrwt+ 1 faroul root 0 May 19 20:56 /var/run
>>> *** Warning:     # file: /var/run
>>> *** Warning:     # owner: faroul
>>> *** Warning:     # group: root
>>> *** Warning:     # flags: --t
>>> *** Warning:     user::rwx
>>> *** Warning:     group::rwx
>>> *** Warning:     group:root:rwx
>>> *** Warning:     group:SYSTEM:rwx
>>> *** Warning:     mask:rwx
>>> *** Warning:     other:rwx
>>> *** Warning:     default:user::rwx
>>> *** Warning:     default:group::rwx
>>> *** Warning:     default:other:r-x
>>> *** Warning:
>>> *** Warning: Please change the user and/or group ownership,
>>> *** Warning: permissions, or ACLs of /var/run.
>>> *** ERROR: Problem with /var/run directory. Exiting.
>>> I tried a lot, but cannot find any solution.
>>> Any hints?
>> It's telling you that the Administrators group is missing write access.
>> Do you have a root id on your system or are you using passwd and group
>> files?
> passwd/group files.
> root and admin entries:
> root:S-1-5-32-544:0:
> Administratoren:S-1-5-32-544:544:
>> You could either change group ownership from root to Administrators:
>> 	$ chgrp -cR Administrators /var/run
>> and if your admin id is not faroul:
>> 	$ chown -cR <adminid> /var/run
>> or, to add explicit Administrators group access, and default access to
>> files created, explicit admin id ACL and DACL, and others read and search:
>> 	$ setfacl -m g:Administrators:rwx,d:g:Administrators:rwx,\
>> u:<adminid>:rwx,d:g:<adminid>:rwx,o::r-x /var/run
>> add Administrators and admin id to existing files:
>> 	$ setfacl -m g:Administrators:rwx,u:<adminid>:rwx,\
>> o::r-x /var/run/*
> Nothing helps... (German Windows, "Administratoren" is "Administrators")
> *** Warning: The owner and the Administrators need
> *** Warning: to have .w. permission to /var/run.
> *** Warning: Here are the current permissions and ACLS:
> *** Warning:     drwxrwxrwt+ 1 Administratoren root 0 May 25 21:07 /var/run
> *** Warning:     # file: /var/run
> *** Warning:     # owner: Administratoren
> *** Warning:     # group: root
> *** Warning:     # flags: --t
> *** Warning:     user::rwx
> *** Warning:     user:Administratoren:rwx
> *** Warning:     group::rwx
> *** Warning:     group:SYSTEM:rwx
> *** Warning:     mask:rwx
> *** Warning:     other:rwx
> *** Warning:     default:user::rwx
> *** Warning:     default:user:Administratoren:rwx
> *** Warning:     default:group::rwx
> *** Warning:     default:mask:rwx
> *** Warning:     default:other:r-x
> *** Warning:
> *** Warning: Please change the user and/or group ownership,
> *** Warning: permissions, or ACLs of /var/run.
> *** ERROR: Problem with /var/run directory. Exiting.
> /var> la
> total 18
> drwxr-xr-x+ 1 faroul          None   0 May 25 21:17 ./
> drwxr-xr-x+ 1 faroul          None   0 May 19 20:15 ../
> drwxr-xr-x+ 1 faroul          None   0 May 18 23:21 cache/
> drwxr-xr-x+ 1 cyg_server      root   0 May 18 23:25 empty/
> drwxr-xr-x+ 1 faroul          None   0 May 18 23:21 lib/
> drwxrwxrwt+ 1 faroul          None   0 May 19 21:40 log/
> drwxrwxrwt+ 1 Administratoren root   0 May 25 21:07 run/

I would expect the group owner to be Administratoren not root and the
user owner of run to be faroul or root:
	# ls -dl /var/{run,empty}/
drwxr-xr-x+ 1 cyg_server Administrators 0 Nov 19  2013 /var/empty/
drwxrwxrwt+ 1 userid     Administrators 0 May 23 19:01 /var/run/

except on my system actually /var/run -> ../run, as on Linux, and don't
have any problems - I have a bunch of Linux-compatible symlinks all
over, including to Windows directories for homes and other non-Cygwin
stuff, and other similar customizations to make working with Windows
from Cygwin easier, with no problems.

You might want to try:
	# chgrp Administratoren /var/{empty,run}
	# chown root /var/run
or compare your old and current directories:
	# ls -dl {/proc/cygdrive/c/cygwin32,}/var/{empty,run}
and reset security by reference to your old directories:
	# chown --reference {/proc/cygdrive/c/cygwin32,}/var/empty
	# chgrp --reference {/proc/cygdrive/c/cygwin32,}/var/empty
	# chmod --reference {/proc/cygdrive/c/cygwin32,}/var/empty
	# chown --reference {/proc/cygdrive/c/cygwin32,}/var/run
	# chgrp --reference {/proc/cygdrive/c/cygwin32,}/var/run
	# chmod --reference {/proc/cygdrive/c/cygwin32,}/var/run

Ensure your /etc/passwd and /etc/group files are complete by adding
required entries with:
	# mkpasswd >> /etc/passwd
	# mkgroup  >> /etc/group
and edit those files carefully to remove any duplicates, and add any
missing fields to root.

Try typing:
	# id root
and see if root has all of the required group memberships like:
	# id SYSTEM
uid=18(SYSTEM) gid=18(SYSTEM) groups=544(Administrators),18(SYSTEM)
	# id Administrators
uid=544(Administrators) gid=544(Administrators) groups=11(Authenticated
Users),544(Administrators)

and add any missing group memberships to root in /etc/group.

Also check /etc/nsswitch.conf to ensure either the defaults, or your
settings, are appropriate, comprehensive, and necessary for your setup.

Last thought is to try:
	# find /var/run/ | xargs setfacl -bk
to remove ACLs and use only straight POSIX permissions, but you may want
to save those first by running getfacl once for each directory and file:
	# find /var/run/ | xargs savefacl.sh
where savefacl.sh loops thru all args, runs getfacl on each file and
saves each output in a unique file in some other directory like /tmp.

The current default in /etc/sshd_config for StrictModes is yes so we
should all be running like this unless manually changed, and no other
problems have been reported with this, although most probably use SAM
instead of files now.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019