X-Spam-Check-By: sourceware.org Message-ID: <43CE5EA0.6090609@equate.dyndns.org> Date: Wed, 18 Jan 2006 15:28:32 +0000 From: Chris Taylor Reply-To: cygwin AT cygwin DOT com User-Agent: Debian Thunderbird 1.0.7 (X11/20051017) MIME-Version: 1.0 To: Manel Rodero CC: cygwin AT cygwin DOT com Subject: Re: Wich privileges required by ssh-host-config running user? References: <005c01c61c40$a6305d70$043a5393 AT fib DOT upc DOT es> In-Reply-To: <005c01c61c40$a6305d70$043a5393@fib.upc.es> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Manel Rodero wrote: >>Because your are bound by the laws of ntfs access control >>entrys. Having rights to write to a file doesn't mean you are >>allowed to change its owner. You need permissions to change >>the directory the files are in. >>And getting this right is easier in windows than in cygwin. >>Use cacls to look at etc and the files. >> >> > > > Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by > the setup process. The ssh* files are created by the ssh-host-config script. > > I know that the problem is with ACLs in the NTFS files but I would like to > know why this problem only occurs in these servers (casually all of them are > in a windows domain). Does the process of joining a domain change something > in the local Administration account? You want to try with the domain administrator account, not the local administrator. If you're logging on as administrator, and log on to is set to the domain, then you are already doing so and something most unusual is occuring - suggestive of an admin removing administrator access to the root filesystem, or to certain parts of it. > > In a working server: > > C:\cygwin\etc>cacls . > C:\cygwin\etc Everyone:(OI)(CI)F > > ---> the script have changed the ACL to SYSTEM !!! > > C:\cygwin\etc>cacls ssh_config > C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:) > STANDARD_RIGHTS_ALL > DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > SYNCHRONIZE > STANDARD_RIGHTS_REQUIRED > FILE_GENERIC_READ > FILE_GENERIC_WRITE > FILE_GENERIC_EXECUTE > FILE_READ_DATA > FILE_WRITE_DATA > FILE_APPEND_DATA > FILE_READ_EA > FILE_WRITE_EA > FILE_EXECUTE > FILE_READ_ATTRIBUTES > FILE_WRITE_ATTRIBUTES > > SERVEROK\None:R > Everyone:R > > In the problematic servers (the ACLs are the default ones because the > ssh-host-config script can't change them): > > C:\cygwin\etc>cacls . > C:\cygwin\etc Everyone:(OI)(CI)F > > ---> The Default ACLs of the files created by ssh-host-config (Administrator > doesn't have full control over the files; but Administrator is the owner of > the files) > > C:\cygwin\etc>cacls sshd_config > C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:) > STANDARD_RIGHTS_ALL > DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > SYNCHRONIZE > STANDARD_RIGHTS_REQUI > FILE_GENERIC_READ > FILE_GENERIC_WRITE > FILE_READ_DATA > FILE_WRITE_DATA > FILE_APPEND_DATA > FILE_READ_EA > FILE_WRITE_EA > FILE_READ_ATTRIBUTES > FILE_WRITE_ATTRIBUTES > > SERVERWRONG\None:(special access:) > READ_CONTROL > SYNCHRONIZE > FILE_GENERIC_READ > FILE_READ_DATA > FILE_READ_EA > FILE_READ_ATTRIBUTES > > Everyone:(special access:) > READ_CONTROL > SYNCHRONIZE > FILE_GENERIC_READ > FILE_READ_DATA > FILE_READ_EA > FILE_READ_ATTRIBUTES > > So, which RIGHTS need the Administrator account to be able to change the > owner of a file? > > Thank you. > -- Spinning complacently in the darkness, covered and blinded by a blanket of little lives, false security has lulled the madness of this world into a slumber. Wake up! An eye is upon you, staring straight down and keenly through, seeing all that you are and everything that you will never be. Yes, an eye is upon you, an eye ready to blink. So face forward, with arms wide open and mind reeling. Your future has arrived... Are you ready to go? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/