X-Spam-Check-By: sourceware.org From: "Manel Rodero" To: Subject: RE: Wich privileges required by ssh-host-config running user? Date: Wed, 18 Jan 2006 16:24:58 +0100 Message-ID: <005f01c61c43$57c96200$043a5393@fib.upc.es> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" In-Reply-To: <005c01c61c40$a6305d70$043a5393@fib.upc.es> X-Scaned-FIB: AntiVirus/AntiSpam en fib.upc.es X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id k0IFP5RD026924 And ... in the problematic server the "Administrators" group have this privilege: Take ownership of files or other objects (SeTakeOwnershipPrivilege) Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. Default setting: Administrators. So, I don't know why the new files created by ssh-host-config can be changed to be owned by SYSTEM... Any idea? > -----Original Message----- > From: cygwin-owner AT cygwin DOT com > [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of Manel Rodero > Sent: Wednesday, January 18, 2006 4:06 PM > To: cygwin AT cygwin DOT com > Subject: RE: Wich privileges required by ssh-host-config running user? > > > > > > Because your are bound by the laws of ntfs access control > > entrys. Having rights to write to a file doesn't mean you are > > allowed to change its owner. You need permissions to change > > the directory the files are in. > > And getting this right is easier in windows than in cygwin. > > Use cacls to look at etc and the files. > > > > > > Yes, I've look into /etc and /etc/ssh* files. /etc directory > is created by > the setup process. The ssh* files are created by the > ssh-host-config script. > > I know that the problem is with ACLs in the NTFS files but I > would like to > know why this problem only occurs in these servers (casually > all of them are > in a windows domain). Does the process of joining a domain > change something > in the local Administration account? > > In a working server: > > C:\cygwin\etc>cacls . > C:\cygwin\etc Everyone:(OI)(CI)F > > ---> the script have changed the ACL to SYSTEM !!! > > C:\cygwin\etc>cacls ssh_config > C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:) > STANDARD_RIGHTS_ALL > DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > SYNCHRONIZE > STANDARD_RIGHTS_REQUIRED > FILE_GENERIC_READ > FILE_GENERIC_WRITE > FILE_GENERIC_EXECUTE > FILE_READ_DATA > FILE_WRITE_DATA > FILE_APPEND_DATA > FILE_READ_EA > FILE_WRITE_EA > FILE_EXECUTE > FILE_READ_ATTRIBUTES > FILE_WRITE_ATTRIBUTES > > SERVEROK\None:R > Everyone:R > > In the problematic servers (the ACLs are the default ones because the > ssh-host-config script can't change them): > > C:\cygwin\etc>cacls . > C:\cygwin\etc Everyone:(OI)(CI)F > > ---> The Default ACLs of the files created by ssh-host-config > (Administrator > doesn't have full control over the files; but Administrator > is the owner of > the files) > > C:\cygwin\etc>cacls sshd_config > C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:) > STANDARD_RIGHTS_ALL > DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > SYNCHRONIZE > STANDARD_RIGHTS_REQUI > FILE_GENERIC_READ > FILE_GENERIC_WRITE > FILE_READ_DATA > FILE_WRITE_DATA > FILE_APPEND_DATA > FILE_READ_EA > FILE_WRITE_EA > FILE_READ_ATTRIBUTES > FILE_WRITE_ATTRIBUTES > > SERVERWRONG\None:(special access:) > READ_CONTROL > SYNCHRONIZE > FILE_GENERIC_READ > FILE_READ_DATA > FILE_READ_EA > FILE_READ_ATTRIBUTES > > Everyone:(special access:) > READ_CONTROL > SYNCHRONIZE > FILE_GENERIC_READ > FILE_READ_DATA > FILE_READ_EA > FILE_READ_ATTRIBUTES > > So, which RIGHTS need the Administrator account to be able to > change the > owner of a file? > > Thank you. > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/