| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org C46F5385802F |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1681503244; | |
| bh=Rkjf9CL5I6eZZSwSKb0J3I4QYXGxSP5WSIqnCY1HFrc=; | |
| h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=CVkbKXyM2PNfnEa9S/XjpXwvWs+XfCU9XxQfL3PG9aIp8RbcR81IZ0l+LhmsAFUld | |
| jmE3r5OMkpVZfZGz88WnAZVtjrb2Bc81prus8wrajNR94wN3A7pkEjomfChbdaLMZS | |
| JwU6F59/+WY6GJnPFn6gqlvoF1BkO7pcydhqysoc= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 0E2043858C54 |
| Date: | Fri, 14 Apr 2023 22:13:48 +0200 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Permissions question / issue |
| Message-ID: | <ZDmz/KAJnvJ6hRDz@calimero.vinschen.de> |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <88697a53-26db-6969-2c18-3d6133d248c1 AT cs DOT umass DOT edu> |
| <ZDmlSTitA7bLQzY1 AT calimero DOT vinschen DOT de> | |
| <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820 AT cs DOT umass DOT edu> | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820@cs.umass.edu> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
On Apr 14 15:43, Eliot Moss via Cygwin wrote: > On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote: > > On Apr 13 23:03, Eliot Moss via Cygwin wrote: > > > Dear cygwin'ers - > > > > > > I seem to be caught in a bind with the Cygwin permissions setup. > > > > > > ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600). > > > > Huh? No, it doesn't, usually. My file has perms rw-r--r-- (644) and > > that's perfectly fine. Also, I tried the same setting as you did, > > i. e. > > > > $ getfacl config > > # file: config > > # owner: corinna > > # group: vinschen > > user::rw- > > group::--- > > group:SYSTEM:r-x > > mask::r-x > > other::--- > > > > And ssh still works as desired and does not throw any error. > > > > You can also add g:SYSTEM:r-x to the directories and it should have > > no negative side effect. I just did that with ~/.ssh and ssh still > > works as expected. > > Of course you're entirely right, Corinna! Not sure how I got it > in my head that it needed 600 permissions. Thank you for clarifying! > > However ... ssh *does* demand that key files be accessible only by > the user. Hmm, right. I should have thought of that. > Is there a solution - if necessary using Windows tools - > to make ssh happy while allowing a SYSTEM backup tool to back up > the file? Well, you could run a script before and after running the backup tool which adds/removes SYSTEM perms to the affected files. Alternatively you could do a fake from inside the Cygwin env: - Move ~/.ssh to ~/.ssh-realperms - Set the permissions in ~/.ssh-realperms as desired so they are secure *and* allow the backup tool to operate on them. - Add a mount point to /etc/fstab.d/eliot: C:/cygwin64/home/eliot/.ssh-realperms /home/eliot/.ssh noacl 0 0 I didn't try that myself yet, but that should do what you want, because ssh checks if the underlying filesystem (or mount point) accepts POSIX permissions. If not, certain permission checks are skipped. HTH, Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |