Mail Archives: cygwin/2017/05/29/04:39:57

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2017/05/29/04:39:57

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=wp03/nIBrhEp9DMC

nUD/9zA75R5GWCl+PMG31E7+qDSmIxylOtpkj+RAmetsTNN6qVZgK4PnMhPq46Cy

A9pu8Y6RwJlILVKKJds1PQfERGouTcOz61eA7k2lQLIuUg8PdDEIvhFajLSzDNre

IUSnxa8QsXztCRabPQs1AmfW8NE=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:subject:to:references:from:message-id:date

:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=SxfRRtia9Vv+WbRXUbMuZ0

jo9/Q=; b=hvFrLwJuGJd/Zke3oVz9hUE2FYehezyFJJ6wqoGjiFGEAQkae9b9ap

Sl8h0JKiwfieBFcUnRQBg+O5OKLv+ZJ1cgRtGzhTEQ+vBmPngGdSTPNr+XcGSTD1

HSQw4/b6WhW7vTahtZz0IgtC13iDsVcMHDZHso0noBXf0C1ssD2IM=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1175, userid, five, communication

X-HELO: mail-wm0-f45.google.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=rSo6Y/kQpW6wcBcWabFxXtlD8LSiTmUcDZZ01l5lZ/4=; b=Ymu8YSoga98svJTIiPWSFz+81xMTFVKL+Dmr718RhUw+rBEU3Bik/IV6nVDYU2Gglp YV5T8RUkgO7KlDFpw7U8Y+MA1Gf1pPzPp+/4ZGEKV87L8W2guedzaHhFS0MkiJg5ZSJj d5Hz3Vvo3EXD/20bwCsbKEnvpDi4vXeMO4OWTzfMRDHKwG5dyVaH69N3q9bIbpbYYqwF j84RFWISEp+FAWcTPGL+jOq6WiD/XwpeQpwqFxpn2rMRndEGzHdrdb3ugaG2LzcrIY/b 3Bkp7dA3dSCrUplPwPAa0AbDHqDj5xiPOqceLepehu7MuPehPfgGclsEVd5IxLtDOPJD LYKQ==

X-Gm-Message-State: AODbwcBaMriHHcsA0+lMxOR+fRG3U/SnUXOWfz7vF4HU2jY5cxG2Cqtk ACjmQ2ttQ/TfKcNewYk=

X-Received: by 10.223.150.19 with SMTP id b19mr9784630wra.67.1496047172015; Mon, 29 May 2017 01:39:32 -0700 (PDT)

Subject: Re: openssh: privilege separation no longer supported on Cygwin?

To: cygwin AT cygwin DOT com

References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl>

From: Marco Atzeri <marco DOT atzeri AT gmail DOT com>

Message-ID: <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com>

Date: Mon, 29 May 2017 10:39:28 +0200

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

MIME-Version: 1.0

In-Reply-To: <d436698bbd53eef3cbdda788d4926109@xs4all.nl>

X-IsSubscribed: yes

On 29/05/2017 07:23, Houder wrote:
> Hi,
>
> Privilege separation in sshd defaults to "sandbox" (as far as
> I understand, "openssh" has implemented a new mechanism).
>
> ... now I remember Corinna writing, that 'sandbox will not be
> an option for Cygwin' ... or words to that effect.
>
> Does this mean, that under Cygwin, privilege separation is no
> longer possible?
>
> ... because, that is, I think, what I am seeing:
>
>  - the userid of child sshd is still 'cyg_server' ...
>  - and I get an elevated shell when I login ...
>
> Not what I expected ...
>
> Gr. Henri
>

Hi Houder,
please read the last Announcement

https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html

* This release deprecates the sshd_config UsePrivilegeSeparation
    option, thereby making privilege separation mandatory. Privilege
    separation has been on by default for almost 15 years and
    sandboxing has been on by default for almost the last five.


It seems you misunderstood the communication:
- the possibility to NOT use "privilege separation" is deprecated
- "privilege separation" will became mandatory

Regards
Marco


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=wp03/nIBrhEp9DMC
	nUD/9zA75R5GWCl+PMG31E7+qDSmIxylOtpkj+RAmetsTNN6qVZgK4PnMhPq46Cy
	A9pu8Y6RwJlILVKKJds1PQfERGouTcOz61eA7k2lQLIuUg8PdDEIvhFajLSzDNre
	IUSnxa8QsXztCRabPQs1AmfW8NE=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=SxfRRtia9Vv+WbRXUbMuZ0
	jo9/Q=; b=hvFrLwJuGJd/Zke3oVz9hUE2FYehezyFJJ6wqoGjiFGEAQkae9b9ap
	Sl8h0JKiwfieBFcUnRQBg+O5OKLv+ZJ1cgRtGzhTEQ+vBmPngGdSTPNr+XcGSTD1
	HSQw4/b6WhW7vTahtZz0IgtC13iDsVcMHDZHso0noBXf0C1ssD2IM=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-2.0 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1175, userid, five, communication
X-HELO:	mail-wm0-f45.google.com
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=rSo6Y/kQpW6wcBcWabFxXtlD8LSiTmUcDZZ01l5lZ/4=; b=Ymu8YSoga98svJTIiPWSFz+81xMTFVKL+Dmr718RhUw+rBEU3Bik/IV6nVDYU2Gglp YV5T8RUkgO7KlDFpw7U8Y+MA1Gf1pPzPp+/4ZGEKV87L8W2guedzaHhFS0MkiJg5ZSJj d5Hz3Vvo3EXD/20bwCsbKEnvpDi4vXeMO4OWTzfMRDHKwG5dyVaH69N3q9bIbpbYYqwF j84RFWISEp+FAWcTPGL+jOq6WiD/XwpeQpwqFxpn2rMRndEGzHdrdb3ugaG2LzcrIY/b 3Bkp7dA3dSCrUplPwPAa0AbDHqDj5xiPOqceLepehu7MuPehPfgGclsEVd5IxLtDOPJD LYKQ==
X-Gm-Message-State:	AODbwcBaMriHHcsA0+lMxOR+fRG3U/SnUXOWfz7vF4HU2jY5cxG2Cqtk ACjmQ2ttQ/TfKcNewYk=
X-Received:	by 10.223.150.19 with SMTP id b19mr9784630wra.67.1496047172015; Mon, 29 May 2017 01:39:32 -0700 (PDT)
Subject:	Re: openssh: privilege separation no longer supported on Cygwin?
To:	cygwin AT cygwin DOT com
References:	<d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl>
From:	Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Message-ID:	<37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com>
Date:	Mon, 29 May 2017 10:39:28 +0200
User-Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version:	1.0
In-Reply-To:	<d436698bbd53eef3cbdda788d4926109@xs4all.nl>
X-IsSubscribed:	yes