X-Spam-Check-By: sourceware.org
Date: Thu, 23 Feb 2006 12:57:42 -0500 (EST)
From: Igor Peshansky <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Tim Daneliuk <tundra AT tundraware DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: sshd, /etc/hosts.allow, & Alternate Access Methods
In-Reply-To: <43FDF37B.8010006@tundraware.com>
Message-ID: <Pine.GSO.4.63.0602231249460.28431@access1.cims.nyu.edu>
References: <43FDF37B DOT 8010006 AT tundraware DOT com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Thu, 23 Feb 2006, Tim Daneliuk wrote:

> Is anyone familiar with alternate access methods as they apply to
> cygwin? If I edit /etc/hosts.allow, the alternate access method
> (indicated by a '+' in an 'ls -l' listing) gets lost. Thereafter
> /etc/hosts.allow is no longer properly observed by sshd - it makes ssh
> logins impossible from anything other than localhost.

Cygwin isn't ACL-aware, and file creation operations don't retain the
original ACLs -- Cygwin constructs them anew to reflect the permission
mapping.  See <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files>.
To make sure you keep the ACLs, use an editor that edits files in-place,
rather than making a copy (e.g., vim).

> So ... how do I edit /etc/hosts.allow and retain the alternate access
> method that appears to be crucial for proper sshd operation?

The alternate access method is not crucial.  What's crucial is that the
files should be a) readable by SYSTEM, and b) not group/world-readable.
To accomplish this, "chown SYSTEM.SYSTEM /etc/hosts.{allow,deny} && chmod
600 /etc/hosts.{allow,deny}" (this is more secure, anyway).  No need for
an alternate method.  You can then temporarily chown them to your userid
or "chmod a+w" for editing (restoring the owner/permissions afterwards).

> P.S. Notice that merely copying the originally installed hosts.allow to
>      a backup copy causes the alternate access method to be lost:

Same reason -- Cygwin isn't really ACL-aware.  You can also restore the
original ACLs by running something like "getfacl hosts.allow | setfacl -f
- hosts.allow.orig" (assuming the owner stays the same).

> -rwx------+ 1 tundra None  200 Feb 23 00:15 hosts.allow
> -rwx------  1 tundra None  200 Feb 23 00:15 hosts.allow.orig
> -rwx------+ 1 tundra None  407 Feb 23 00:15 hosts.deny

These files should really be owned by SYSTEM (or whatever user sshd runs
as).
HTH,
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/