X-Spam-Check-By: sourceware.org Message-ID: <43FE46C9.1050201@tundraware.com> Date: Thu, 23 Feb 2006 17:35:37 -0600 From: Tim Daneliuk Reply-To: tundra AT tundraware DOT com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: sshd, /etc/hosts.allow, & Alternate Access Methods References: <43FDF37B DOT 8010006 AT tundraware DOT com> <43FDFBE3 DOT 1040308 AT tundraware DOT com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner: Found to be clean X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Igor Peshansky wrote: > On Thu, 23 Feb 2006, Tim Daneliuk wrote: > > >>Igor Peshansky wrote: >> >> >>>On Thu, 23 Feb 2006, Tim Daneliuk wrote: >>> >> >> >> >>>Same reason -- Cygwin isn't really ACL-aware. You can also restore >>>the original ACLs by running something like "getfacl hosts.allow | >>>setfacl -f - hosts.allow.orig" (assuming the owner stays the same). >>> >>> >>>>-rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow >>>>-rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig >>>>-rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny >>> >>>These files should really be owned by SYSTEM (or whatever user sshd >>>runs as). >> >>Ahh - that was the hint I needed. But here is something very strange: >> >>As installed, hosts.allow is owned by the installing user - in this >>case, "tundra" who is also an Administrator on the system. > > > As installed by what? I couldn't find anything that generates that file. > I'm not sure. I did a *complete* install of cygwin. I dunno if it was installed then, or when I ran ssh-host-config ... >>sshd properly recognizes the rule found in this file. > > > That's because it simply checks that a) permissions are no more than 700, > and b) that the file is readable. Both are satisfied, even though the > owner is wrong. > > >>HOWEVER, if I edit the file (to change allow rules), I *have* to chown >>it to SYSTEM or ssh access outside localhost fails. > > > Thank your editor which makes a copy. Once you make a copy, Cygwin only > copies the POSIX permissions (which are 700), so that the file is no > longer readable by SYSTEM. You can use the "getfacl | setfacl" trick to > get the ACLs back. > Ah, OK that explains it... >>Stranger still is that once the file is owned by SYSTEM, it cannot be >>further edited because I get a "Permission Denied" on it with emacs or >>vi - strange considering that I am an Administrator on the system. > > > Why is this strange? Normally you are not supposed to see files that > belong to other users (and SYSTEM *is* another user). You can grab the > ownership of the file and edit it, or make it world readable/writable and > edit it. Just don't forget to change it back to the way it was, or sshd > will complain. > > >>P.S. Did I mention that I hate the Windows security model ;) > > > Most of the above is not really due to Windows -- it would happen on any > system that has ACLs. > Igor Point taken. (And thanks for your help ;) -- ---------------------------------------------------------------------------- Tim Daneliuk tundra AT tundraware DOT com PGP Key: http://www.tundraware.com/PGP/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/