X-Spam-Check-By: sourceware.org From: "Manel Rodero" To: Subject: RE: Wich privileges required by ssh-host-config running user? Date: Wed, 18 Jan 2006 16:05:41 +0100 Message-ID: <005c01c61c40$a6305d70$043a5393@fib.upc.es> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" In-Reply-To: <43CE541C.9010200@gmx.de> X-Scaned-FIB: AntiVirus/AntiSpam en fib.upc.es X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id k0IF5oAh024109 > > Because your are bound by the laws of ntfs access control > entrys. Having rights to write to a file doesn't mean you are > allowed to change its owner. You need permissions to change > the directory the files are in. > And getting this right is easier in windows than in cygwin. > Use cacls to look at etc and the files. > > Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by the setup process. The ssh* files are created by the ssh-host-config script. I know that the problem is with ACLs in the NTFS files but I would like to know why this problem only occurs in these servers (casually all of them are in a windows domain). Does the process of joining a domain change something in the local Administration account? In a working server: C:\cygwin\etc>cacls . C:\cygwin\etc Everyone:(OI)(CI)F ---> the script have changed the ACL to SYSTEM !!! C:\cygwin\etc>cacls ssh_config C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:) STANDARD_RIGHTS_ALL DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE STANDARD_RIGHTS_REQUIRED FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES SERVEROK\None:R Everyone:R In the problematic servers (the ACLs are the default ones because the ssh-host-config script can't change them): C:\cygwin\etc>cacls . C:\cygwin\etc Everyone:(OI)(CI)F ---> The Default ACLs of the files created by ssh-host-config (Administrator doesn't have full control over the files; but Administrator is the owner of the files) C:\cygwin\etc>cacls sshd_config C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:) STANDARD_RIGHTS_ALL DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE STANDARD_RIGHTS_REQUI FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES SERVERWRONG\None:(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES Everyone:(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES So, which RIGHTS need the Administrator account to be able to change the owner of a file? Thank you. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/