| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 0546E3857009 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1681501865; | |
| bh=qjDa523EhrxhkDrOxGWU0vW1QD8kJllZfJlo+cAkHBs=; | |
| h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: | |
| From; | |
| b=r24C6eEfBb2xqbkWl/m0hpWOoLi8+ZB6QFjEjlAWrbt3O6dOvKha2II/03M4qZEyG | |
| TWK/LiozNilRmtgXMh6rcgTbmlYVfoMfBWnMCXiIdUFAGHIEqRXqaeXNfcFqE7R37g | |
| omZMXlY6rdYlGKsS3UXU+QAPCgGDm6FoV3Ra4nbk= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org 70B0F385415F |
| Message-ID: | <1e61ce54-407c-a719-f55a-c8c8ccbc4d6b@cs.umass.edu> |
| Date: | Fri, 14 Apr 2023 15:49:55 -0400 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 |
| Thunderbird/102.10.0 | |
| Subject: | Re: Permissions question / issue |
| To: | cygwin AT cygwin DOT com |
| References: | <88697a53-26db-6969-2c18-3d6133d248c1 AT cs DOT umass DOT edu> |
| <ZDmlSTitA7bLQzY1 AT calimero DOT vinschen DOT de> | |
| <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820 AT cs DOT umass DOT edu> | |
| In-Reply-To: | <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820@cs.umass.edu> |
| X-Spam-Status: | No, score=-3.2 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, |
| KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP, | |
| T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Eliot Moss via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | moss AT cs DOT umass DOT edu |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 33EJpR4b025988 |
On 4/14/2023 3:43 PM, Eliot Moss via Cygwin wrote:
> On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote:
>> On Apr 13 23:03, Eliot Moss via Cygwin wrote:
>>> Dear cygwin'ers -
>>>
>>> I seem to be caught in a bind with the Cygwin permissions setup.
>>>
>>> ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).
>>
>> Huh? No, it doesn't, usually. My file has perms rw-r--r-- (644) and
>> that's perfectly fine. Also, I tried the same setting as you did,
>> i. e.
>>
>> $ getfacl config
>> # file: config
>> # owner: corinna
>> # group: vinschen
>> user::rw-
>> group::---
>> group:SYSTEM:r-x
>> mask::r-x
>> other::---
>>
>> And ssh still works as desired and does not throw any error.
>>
>> You can also add g:SYSTEM:r-x to the directories and it should have
>> no negative side effect. I just did that with ~/.ssh and ssh still
>> works as expected.
>
> Of course you're entirely right, Corinna! Not sure how I got it
> in my head that it needed 600 permissions. Thank you for clarifying!
>
> However ... ssh *does* demand that key files be accessible only by
> the user. Is there a solution - if necessary using Windows tools -
> to make ssh happy while allowing a SYSTEM backup tool to back up
> the file?
More info:
At present I have:
$ getfacl id_rsa2
# file: id_rsa2
# owner: moss
# group: moss
user::rw-
group::---
group:SYSTEM:r-- #effective:---
mask::---
other::---
$ icacls id_rsa2
id_rsa2 NULL SID:(DENY)(Rc,DC)
ELIOT-SURFACE-3\moss:(R,W,D,WDAC,WO)
ELIOT-SURFACE-3\moss:(Rc,S,RA)
NT AUTHORITY\SYSTEM:(R)
Everyone:(Rc,S,RA)
I don't claim expert level understanding of the Windows access
scheme, but Windows Explorer believes that SYSTEM has read access
to the file, so I suppose this will work. I guess we're kind of
lying to cygwin a little - but in a way that is useful here.
Best wishes - Eliot
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |