Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3BCB1525.3E9FA2F4@rowman.com>
Date: Mon, 15 Oct 2001 12:56:05 -0400
From: John Peacock <jpeacock AT rowman DOT com>
MIME-Version: 1.0
To: Peter Buckley <peter DOT buckley AT cportcorp DOT com>
CC: Robert Collins <robert DOT collins AT itdomain DOT com DOT au>,
   Corinna Vinschen <cygwin AT cygwin DOT com>
Subject: Re: rsh: "Permission denied" on file creation. Cygwin 1.3.3 on W2K Adv  
 Srv SP2.
References: <FF503547C1F8D211BD2C0008C7C564010C9A492A AT exdkba06 DOT novo DOT dk> <3BC72151 DOT F11E6CB0 AT cportcorp DOT com> <20011013105919 DOT O1155 AT cygbert DOT vinschen DOT de> <3BC89445 DOT DEED628 AT rowman DOT com> <007d01c154b9$d088be30$0200a8c0 AT lifelesswks> <3BCB0C7D DOT 148867EF AT cportcorp DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Peter Buckley wrote:
> 
> Ummm.... I don't understand why home directories on
> a network share would ever be "public". I thought that
> root on unix could read whatever it wanted
> (including home directories on network shares,
> hence SYSTEM is NOT equivalent), 

I don't think that is true of NFS mounts but it may be.

> but this
> idea of public sounds like anyone (the guest user) or
> some intruder could read the contents of my home
> directory on a network share without authenticating.
> That just sounds silly, so maybe I need someone to
> explain this idea of "public" to me.

The whole idea of "public" shares under NT gives me the absolute 
willies!

> 
> Basically, the problem here is the "security" feature
> that rsh uses where it tries to cd to the user's home
> directory as the SYSTEM account, then failing that
> exits if CYGWIN is defined. This is ridiculous.
> When I rsh, the whole idea is that I am "me" and I am
> executing commands as "me" on the remote system. I don't
> want to cd to my home directory as SYSTEM, and in this
> case it doesn't work because it is a network share and
> kicks me out.

This is indeed where this discussion started.  And, as I tried to 
point out at the time, rsh is a *nix program that has been modified to
work under CygWin.

The current security model is to do everything necessary to set up the
user's login, then drop the enhanced rights at the very last possible
moment.  Lots of *nix programs actually go further and use chroot, 
which actually places the user process in a virtual / without any way
of getting out to the rest of the machine.  Of course, this is not
possible under NT at all.  The fallback, to make sure that no one can
log in as Guest, is to not allow any login to non-existant $HOME
directories, which from the standpoint of SYSTEM, yours is.

So you are not "me" until after the cd for a very good reason.  To 
change it for CygWin would be to make it less secure.  Have you 
checked out ssh instead of rsh?  It is much more secure, from the 
ground up, and may actually work better for you.

> 
> I know that I can modify the code so it doesn't do this,
> but I don't think it should use this security feature this
> way. There are probably a bunch of NT users who have their
> home directories on network shares. It was explained to me
> that the whole idea of this security feature is so an
> unauthorized user doesn't end up in the / directory. The
> section of code does this-
> 
> if (cd $HOME)
> #okay, we cd'd to the home directory no problem
> else
> ifdef _CYGWIN_
> error (no remote directory; exit1)
> else
> cd /
> endif
> endif
> 
> Why can't the "cd /" simply be a "cd /some-harmless-place"
> and provide the same level of security? Simply saying
> "you shouldn't have your home directory on a network share"
> isn't good enough. Maybe I just don't understand the idea
> of making my home directory "public" and if someone explains
> it to me I can tell my sysadmins and have them set it up that
> way.
> 

The problem is that until NTSEC, there was no harmless place.  And I am
not sure that I would even rely on CygWin's NTSEC implementation (as it
relies on NT).  Corina would be much more likely to be able to tell you
whether this is a secure option.

John

p.s. really, you should be using ssh, not rsh ;~)

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/