X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; q=dns; s=default; b=fo SvwZqSdi6H110ebBkH0ubNErhRWfXhIeZK6qeWCx7RhvqfLzQ87bNfK/JQCrErBk V55bD5zvglq5JbiQz1nuC4e7d20D3jSHEI9ITIb23pVW+1WouiLOM7l7+CS1TO4S nX+wJRuAntVppm8puUAEBL+0JncRlEA6XxPPBeNNI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; s=default; bh=Q3bxHJGb fsbDpSvxUqxuTRD2Wc4=; b=rIKecASBcsIYlpDPkjxusStiF7oi9/w5zgLpm9Xg vl+lNlyTsL3HkE6eBmw8IsHDn6KF20EnHHiZKd3rfkupBVcALCtX7o9lSoxpFs2f 4KUhhEgquLvIgbk6T45tC98y2xxqQ9QPC/k4kCSM7XtsAWG54pushL/LLFe/BmCi Q2w= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-la0-f46.google.com MIME-Version: 1.0 X-Received: by 10.112.225.43 with SMTP id rh11mr311785lbc.90.1428029783804; Thu, 02 Apr 2015 19:56:23 -0700 (PDT) In-Reply-To: References: <152755247.20150401232333@yandex.ru> <402200952.20150402043205@yandex.ru> <1876247786.20150402183153@yandex.ru> <87twwyxtin.fsf@Rainer.invalid> Date: Thu, 2 Apr 2015 22:56:23 -0400 Message-ID: Subject: Re: File Permissions - Yet Another Question / Clarification From: Bryan Berns To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes Replying to myself on this topic in case anyone else is interested. > 2) how can I get SSH to believe the two "admin" groups on my > files are acceptable. I'm not optimistic I'm going to get SSH to > change it's behavior so I may need to recompile it to avoid the > check.... which is obviously not desirable from a maintainability > standpoint. The applicable check at work here is check_ntsec() and the several lines after within authfile.c in the openssh package. I confirmed there is no elegant way to avoid or externally augment these checks as it's currently programmed without patching and recompiling (or using something like Microsoft Detours to fake out the external call to pathconf() which is called by check_ntsec() -- very ugly). I completely agree with the general guidance that these are important checks as it prevents the user from accidentally exposing their private keys. In our environment, the check is returning a false positive given our home directory permissions are tightly controlled (immutable by end users, in fact) and some cross-domain administrative groups are used to delegate control of the directories to certain authorized personnel. Eliminating these groups from the DACL and granting these personnel Backup/Restore rights on the entire filer (hundreds of terabytes) is not a secure solution for us. I'm guessing others in a large corporate environment may find themselves in a similar scenario. I was able to modify the check to work for our scenario and recompile. Obviously this isn't the ideal solution, but it looks like it's our only path forward. I still have to figure out why file ownership isn't recorded properly --- if I figure that out, I'll let everyone know as well. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple