Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 27 Jun 2002 18:10:33 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Cygwin OpenSSH 3.4 privilege separation issues
Message-ID: <20020627181033.P1188@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <Pine DOT LNX DOT 4 DOT 44 DOT 0206271129150 DOT 2622-100000 AT rd DOT incert DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0206271129150.2622-100000@rd.incert.com>
User-Agent: Mutt/1.3.22.1i

On Thu, Jun 27, 2002 at 11:36:14AM -0400, Chris Metcalf wrote:
> I upgraded from running OpenSSH 3.3 with privilege separation to running
> OpenSSH 3.4 and it no longer starts up correctly as a service;  
> /var/log/sshd.log holds "Bad owner or mode for /var/empty".  I've done a
> "chown 0 /var/empty; chmod 700 /var/empty" which should match the checking
> code in sshd.c, but for some reason it doesn't appear to.  (A small
> cut-and-paste of the /var/empty checking code from sshd.c into a separate
> program doesn't issue the warning.) So this is a puzzle.
> 
> Of course, "uid 0" is Everyone, and what we really want here is a check
> that /var/empty is owned by SYSTEM (uid 18).  This is really a bigger 
> issue; we shouldn't be relying on uid 0 to be special under Cygwin.

We don't.  Did you read my announcement?  I've told that the code isn't
the same as in the official package.  The official maintainers actually
added the check for uid 0.  I wasn't really excited as you might guess.

My change added to the Cygwin version (which will get into the official
sources in a few days) is the following:

--- sshd.c.orig 2002-06-26 18:21:03.000000000 +0200
+++ sshd.c      2002-06-26 18:20:55.000000000 +0200  
@@ -1035,7 +1035,13 @@ main(int ac, char **av)
                    (S_ISDIR(st.st_mode) == 0))
                        fatal("Missing privilege separation directory: %s",
                            _PATH_PRIVSEP_CHROOT_DIR);
+#ifdef HAVE_CYGWIN
+               if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
+                   (st.st_uid != getuid () ||
+                    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+#else
                if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+#endif
                        fatal("Bad owner or mode for %s",
                            _PATH_PRIVSEP_CHROOT_DIR);
        }

This results in checking the owner of /var/empty against the user
running sshd... so that's typically SYSTEM.

> Meanwhile I've flipped UsePrivilegeSeparation back off for now, but we 
> should get these issues fixed so we can use privilege separation.

It is.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/