Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Tue, 8 Jul 2003 13:39:53 -0500 (EST)
From: John <cras AT werd DOT net>
X-X-Sender: cras AT deuce DOT werd DOT lan
To: andrew brian clegg <a DOT clegg AT mail DOT cryst DOT bbk DOT ac DOT uk>
cc: cygwin AT cygwin DOT com
Subject: Re: OpenSSH + Public Key Auth + ntsec
In-Reply-To: <Pine.LNX.4.44.0307081742260.17066-100000@sark.cryst.bbk.ac.uk>
Message-ID: <Pine.LNX.4.43L0.0307081316550.6648-100000@deuce.werd.lan>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Here is the corruption as explained by my NT admin:

--- Begin ---
Our current ACL is:

(Owner)        : Administrators
Administrators : Full Control
SYSTEM         : Full Control
ServiceAccount : Full Control

Currently, whatever ssh/scp touches - the following ACL gets applied:

(Owner)        : ServiceAccount
Administrators : none (no permissions set)
SYSTEM         : none (no permissions set)
ServiceAccount : none (no permissions set)
CREATOR GROUP  : none (no permissions set)
CREATOR OWNER  : none (no permissions set)
Everyone       : Read/Write/Execute
None           : none (no permissions set)
--- End ---

Also, when trying to take ownership of the files in windows (as
administrator), we get the following error: "The security descriptor
structure is invalid".  The fix for this was to run xcacls.exe and that
allowed us to take ownership of files and directories.

Obviously, we're using ssh/scp for moving files around for an automated
process.  When files have been pushed to an ssh server, sometimes they are
not accessable by the user that scp'd them in the first place and our jobs
cannot continue.  When I first noticed this, I logged in via ssh and saw
these files were owned by the creator but had 0000 perms.  I did a "chmod
0644" and our automated process was then able to continue.  This happens
sporadically on some of our machines running cygwin.  A work around for
this is to "chmod 0644 <filename>" for every file before we do any further
processing of the file (move, copy, open, etc).

So there are two issues, not sure if they are directly related.  One, the
ACL's are getting changed to a point where an administrator can't regain
ownership through normal methods.  And two, when files are written,
sometimes they get 0000 perms.

We have reformatted these machines and done fresh installs and yet the
corruption happens all over again on every machine using cygwin & ssh.

If there were a way to not use ntsec and use inherited permissions via
nontsec, that would be stellar.

Thanks again,
John

On Tue, 8 Jul 2003, andrew brian clegg wrote:

>
>
>
> On Tue, 8 Jul 2003, John wrote:
>
> > CYGWIN="binmode ntsec tty".
> >
> > When making directories via ssh:
> > ssh <server> "mkdir /cygdrive/d/temp/test"
> > or when copying files via scp:
> > scp file.txt <server>:/cygdrive/d/temp/test
> >
> > the files are given the "ntsec" permissions from cygwin and are corrupting
> > the NTFS filesystem.
>
> Corrupting in what sense?
>
> I use ssh with ntsec set on and haven't seen any corruption yet, I should
> certainly like to know about it if it's likely to happen. Admittedly my
> setup is with password rather than PK authentication though.
>
> Andrew.
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/