X-Spam-Check-By: sourceware.org Date: Thu, 23 Feb 2006 18:27:03 -0500 (EST) From: Igor Peshansky Reply-To: cygwin AT cygwin DOT com To: Tim Daneliuk cc: cygwin AT cygwin DOT com Subject: Re: sshd, /etc/hosts.allow, & Alternate Access Methods In-Reply-To: <43FDFBE3.1040308@tundraware.com> Message-ID: References: <43FDF37B DOT 8010006 AT tundraware DOT com> <43FDFBE3 DOT 1040308 AT tundraware DOT com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Thu, 23 Feb 2006, Tim Daneliuk wrote: > Igor Peshansky wrote: > > > On Thu, 23 Feb 2006, Tim Daneliuk wrote: > > > > > > Same reason -- Cygwin isn't really ACL-aware. You can also restore > > the original ACLs by running something like "getfacl hosts.allow | > > setfacl -f - hosts.allow.orig" (assuming the owner stays the same). > > > > > -rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow > > > -rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig > > > -rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny > > > > These files should really be owned by SYSTEM (or whatever user sshd > > runs as). > > Ahh - that was the hint I needed. But here is something very strange: > > As installed, hosts.allow is owned by the installing user - in this > case, "tundra" who is also an Administrator on the system. As installed by what? I couldn't find anything that generates that file. > sshd properly recognizes the rule found in this file. That's because it simply checks that a) permissions are no more than 700, and b) that the file is readable. Both are satisfied, even though the owner is wrong. > HOWEVER, if I edit the file (to change allow rules), I *have* to chown > it to SYSTEM or ssh access outside localhost fails. Thank your editor which makes a copy. Once you make a copy, Cygwin only copies the POSIX permissions (which are 700), so that the file is no longer readable by SYSTEM. You can use the "getfacl | setfacl" trick to get the ACLs back. > Stranger still is that once the file is owned by SYSTEM, it cannot be > further edited because I get a "Permission Denied" on it with emacs or > vi - strange considering that I am an Administrator on the system. Why is this strange? Normally you are not supposed to see files that belong to other users (and SYSTEM *is* another user). You can grab the ownership of the file and edit it, or make it world readable/writable and edit it. Just don't forget to change it back to the way it was, or sshd will complain. > P.S. Did I mention that I hate the Windows security model ;) Most of the above is not really due to Windows -- it would happen on any system that has ACLs. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte." "But no -- you are no fool; you call yourself a fool, there's proof enough in that!" -- Rostand, "Cyrano de Bergerac" -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/