Mail Archives: cygwin/2019/03/13/04:57:06

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/03/13/04:57:06

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; q=dns; s=

default; b=FXXCL8INJ6jmTmWfSEAoHNYKLGYRrtePAt68Lqnb0Ht4HPvzqoyuX

S/x4rgzp1foBTqDAvhvbIFQFrAwIal/Kgq4R8geKks/J59MwDATiJHn1BG4Mvtka

LsDwoJ2mHBS6eqXDeldiXvN1sB5dO4PwsE2Nbx0M5EVWAkqFrbhz18=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; s=default;

bh=vDp9g/Rvp+Eepnay7qkCTFj2eOc=; b=lXqj2WzlmAViKV7bzA8tTzA7c1SH

HexEx5VMJ3krVnCrymvxA+qVoaKOA0OR6sKbx1rhsJ01CPdjQ59S/AjMqNXr4IZg

pNuF1+g0IWTUzrJya3glt8D92j/93rK0vWthaU9gXeEiM83lYMRqF+dPXbXkwFht

3kJgLpIpDJzUOsY=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-102.1 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=password, H*F:D*cygwin.com

X-HELO: mout.kundenserver.de

Date: Wed, 13 Mar 2019 09:56:50 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: sshd privsep user still required?

Message-ID: <20190313085650.GS3785@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <CANV9t=S6LFnDSKiJsL3GpjLNC+srJCAgkScZTiG0yAbxq3b40A AT mail DOT gmail DOT com> <CANV9t=SWJ_65Y7jgqgDzNkaUPh1YCHfibp6vb+tmvg-wKtPLyQ AT mail DOT gmail DOT com>

MIME-Version: 1.0

In-Reply-To: <CANV9t=SWJ_65Y7jgqgDzNkaUPh1YCHfibp6vb+tmvg-wKtPLyQ@mail.gmail.com>

User-Agent: Mutt/1.11.3 (2019-02-01)

--NNMNuNcS5bf7Nky/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar 12 16:21, Bill Stewart wrote:
> On Thu, 17 Jan 2019 Corinna Vinschen wrote:
>=20
> > > Is the sshd disabled user account still required?
> >
> > No, actually it isn't.  These days the sshd server checks if the
> > the privsep chrrot environment should be used and that the process
> > is started under "root:root".  This never matches under Cygwin so
> > we could drop the sshd user requirement.
>=20
> So I was exploring using the ChrootDirectory setting in sshd_config to
> configure a user as sftp only.
>=20
> The following seems to work:
>=20
> 1) Run sshd service as SYSTEM
>=20
> 2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.:
>=20
> SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false
>=20
> 3) Create a local sshd user account
>=20
> 4) Update sshd_config settings to use something such as:
>=20
> Match User sftponly
> ChrootDirectory /home/%u
> ForceCommand internal-sftp
>=20
> This works.
>=20
> If the sshd account is missing or disabled, I can't connect using the
> sftponly user, so it would seem that the sshd account really is required.
>=20
> I have three questions:
>=20
> a) Why is it necessary to specify SYSTEM as user number 0 in the
> /etc/password file?
>=20
> b) Why is the sshd account required?

sshd checks for uid 0 and requires the sshd account when chroot is
requested.

> b) Why are /cygdrive and /dev directories visible when connecting using a
> sftp client?

The Cygwin chroot implementation is pure fake.  It's not backed by the
OS and it's failry easy to break out of the jail.  As such, the chroot
implementation is deprecated and only kept for backward compatibility.
I suggest not to use it.  It gives a wrong sense of security.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--NNMNuNcS5bf7Nky/
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyIxdIACgkQ9TYGna5E
T6BM0g/+NrbqWXdGnLtrDH7MZF2m8Ik163I1+4oYbY/SCviEQZddT25Yl5f8ZOGk
U5l3qhJ7JZzHwvu5Hl/rugAYRXVTXpnU8+X17k51s9a/CfXkhWCkqrPEkUDo+6J8
YiPZoGsqor/3+MJy2ViiuWsJpFXHSa77HmX93JOv4uL1tzrlNdTxi6v1dqiLip47
UrJLxzx2JdzAbV5Uuf+PfUMCVAfdUonbm/KSz8UHcbAG8GYsLxMF+4EwA3mEnLnk
53qP0tXd8MAmuZ2GgWJZO0ntgUbkcLNWMFxFwU0if77nOOAKiOLAMbNZyhrCiYfh
uWd15HqGMSqDUtAKBhIyTT3cG/92Qn4oqeJKKUMmo2uDsD8HDxqQ/1xPd8Km0Ibf
lESX8VEGwk4qmP8JaMkISUH6j6ik37hGYxg4iSRx2IwuhDEvPS1hEnJ4Vlx0pF5p
q3Vd9L18wC8wLkauF96u6KujYfF/Rs+4bO7FcoLx//JuAkiRj9wJQqwJFmuosmp8
fJH+LJjw9yDe7lpj8K3GI/SpLa1WSMmNNVBwuouCJ82hGJwYmD3FpXMM43DeEF4e
e5pYdAnTFpo0g1bWLYcqLFCr5iGOLig/yrcKJ4uqCWplSUC+R2fN8IdWNuxsUVFb
LB3vfEoJasqFzA2vOaDkQXO0De7aR7USLf7QRSofusAQ/CkQ1MI=
=40s9
-----END PGP SIGNATURE-----

--NNMNuNcS5bf7Nky/--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=FXXCL8INJ6jmTmWfSEAoHNYKLGYRrtePAt68Lqnb0Ht4HPvzqoyuX
	S/x4rgzp1foBTqDAvhvbIFQFrAwIal/Kgq4R8geKks/J59MwDATiJHn1BG4Mvtka
	LsDwoJ2mHBS6eqXDeldiXvN1sB5dO4PwsE2Nbx0M5EVWAkqFrbhz18=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=vDp9g/Rvp+Eepnay7qkCTFj2eOc=; b=lXqj2WzlmAViKV7bzA8tTzA7c1SH
	HexEx5VMJ3krVnCrymvxA+qVoaKOA0OR6sKbx1rhsJ01CPdjQ59S/AjMqNXr4IZg
	pNuF1+g0IWTUzrJya3glt8D92j/93rK0vWthaU9gXeEiM83lYMRqF+dPXbXkwFht
	3kJgLpIpDJzUOsY=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-102.1 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=password, HF:Dcygwin.com
X-HELO:	mout.kundenserver.de
Date:	Wed, 13 Mar 2019 09:56:50 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: sshd privsep user still required?
Message-ID:	<20190313085650.GS3785@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<CANV9t=S6LFnDSKiJsL3GpjLNC+srJCAgkScZTiG0yAbxq3b40A AT mail DOT gmail DOT com> <CANV9t=SWJ_65Y7jgqgDzNkaUPh1YCHfibp6vb+tmvg-wKtPLyQ AT mail DOT gmail DOT com>
MIME-Version:	1.0
In-Reply-To:	<CANV9t=SWJ_65Y7jgqgDzNkaUPh1YCHfibp6vb+tmvg-wKtPLyQ@mail.gmail.com>
User-Agent:	Mutt/1.11.3 (2019-02-01)