X-Spam-Check-By: sourceware.org
Message-ID: <43FDFBE3.1040308@tundraware.com>
Date: Thu, 23 Feb 2006 12:16:03 -0600
From: Tim Daneliuk <tundra AT tundraware DOT com>
Reply-To: tundra AT tundraware DOT com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: sshd, /etc/hosts.allow, & Alternate Access Methods
References: <43FDF37B DOT 8010006 AT tundraware DOT com> <Pine DOT GSO DOT 4 DOT 63 DOT 0602231249460 DOT 28431 AT access1 DOT cims DOT nyu DOT edu>
In-Reply-To: <Pine.GSO.4.63.0602231249460.28431@access1.cims.nyu.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-TundraWare-MailScanner-Information: Please contact the ISP for more information
X-TundraWare-MailScanner: Found to be clean
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Igor Peshansky wrote:

> On Thu, 23 Feb 2006, Tim Daneliuk wrote:
> 
> 
<SNIP>

> Same reason -- Cygwin isn't really ACL-aware.  You can also restore the
> original ACLs by running something like "getfacl hosts.allow | setfacl -f
> - hosts.allow.orig" (assuming the owner stays the same).
> 
> 
>>-rwx------+ 1 tundra None  200 Feb 23 00:15 hosts.allow
>>-rwx------  1 tundra None  200 Feb 23 00:15 hosts.allow.orig
>>-rwx------+ 1 tundra None  407 Feb 23 00:15 hosts.deny
> 
> 
> These files should really be owned by SYSTEM (or whatever user sshd runs
> as).
> HTH,
> 	Igor

Ahh - that was the hint I needed.  But here is something very strange:

As installed, hosts.allow is owned by the installing user - in this
case, "tundra" who is also an Administrator on the system.  sshd
properly recognizes the rule found in this file.  HOWEVER, if I edit
the file (to change allow rules), I *have* to chown it to SYSTEM or
ssh access outside localhost fails.  Stranger still is that once
the file is owned by SYSTEM, it cannot be further edited because
I get a "Permission Denied" on it with emacs or vi - strange considering
that I am an Administrator on the system.

P.S. Did I mention that I hate the Windows security model ;)

-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra AT tundraware DOT com
PGP Key:         http://www.tundraware.com/PGP/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/