X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=wp03/nIBrhEp9DMC nUD/9zA75R5GWCl+PMG31E7+qDSmIxylOtpkj+RAmetsTNN6qVZgK4PnMhPq46Cy A9pu8Y6RwJlILVKKJds1PQfERGouTcOz61eA7k2lQLIuUg8PdDEIvhFajLSzDNre IUSnxa8QsXztCRabPQs1AmfW8NE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=SxfRRtia9Vv+WbRXUbMuZ0 jo9/Q=; b=hvFrLwJuGJd/Zke3oVz9hUE2FYehezyFJJ6wqoGjiFGEAQkae9b9ap Sl8h0JKiwfieBFcUnRQBg+O5OKLv+ZJ1cgRtGzhTEQ+vBmPngGdSTPNr+XcGSTD1 HSQw4/b6WhW7vTahtZz0IgtC13iDsVcMHDZHso0noBXf0C1ssD2IM= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1175, userid, five, communication X-HELO: mail-wm0-f45.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=rSo6Y/kQpW6wcBcWabFxXtlD8LSiTmUcDZZ01l5lZ/4=; b=Ymu8YSoga98svJTIiPWSFz+81xMTFVKL+Dmr718RhUw+rBEU3Bik/IV6nVDYU2Gglp YV5T8RUkgO7KlDFpw7U8Y+MA1Gf1pPzPp+/4ZGEKV87L8W2guedzaHhFS0MkiJg5ZSJj d5Hz3Vvo3EXD/20bwCsbKEnvpDi4vXeMO4OWTzfMRDHKwG5dyVaH69N3q9bIbpbYYqwF j84RFWISEp+FAWcTPGL+jOq6WiD/XwpeQpwqFxpn2rMRndEGzHdrdb3ugaG2LzcrIY/b 3Bkp7dA3dSCrUplPwPAa0AbDHqDj5xiPOqceLepehu7MuPehPfgGclsEVd5IxLtDOPJD LYKQ== X-Gm-Message-State: AODbwcBaMriHHcsA0+lMxOR+fRG3U/SnUXOWfz7vF4HU2jY5cxG2Cqtk ACjmQ2ttQ/TfKcNewYk= X-Received: by 10.223.150.19 with SMTP id b19mr9784630wra.67.1496047172015; Mon, 29 May 2017 01:39:32 -0700 (PDT) Subject: Re: openssh: privilege separation no longer supported on Cygwin? To: cygwin@cygwin.com References: From: Marco Atzeri Message-ID: <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com> Date: Mon, 29 May 2017 10:39:28 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 29/05/2017 07:23, Houder wrote: > Hi, > > Privilege separation in sshd defaults to "sandbox" (as far as > I understand, "openssh" has implemented a new mechanism). > > ... now I remember Corinna writing, that 'sandbox will not be > an option for Cygwin' ... or words to that effect. > > Does this mean, that under Cygwin, privilege separation is no > longer possible? > > ... because, that is, I think, what I am seeing: > > - the userid of child sshd is still 'cyg_server' ... > - and I get an elevated shell when I login ... > > Not what I expected ... > > Gr. Henri > Hi Houder, please read the last Announcement https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. It seems you misunderstood the communication: - the possibility to NOT use "privilege separation" is deprecated - "privilege separation" will became mandatory Regards Marco -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple