X-Spam-Check-By: sourceware.org
Date: Sat, 8 Apr 2006 17:04:55 -0400 (EDT)
From: Igor Peshansky <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: "Mark A. Ziesemer" <mark_z AT charter DOT net>
cc: cygwin AT cygwin DOT com
Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary   groups?
In-Reply-To: <4437F1FC.6070608@charter.net>
Message-ID: <Pine.GSO.4.63.0604081653080.20780@access1.cims.nyu.edu>
References: <4437F1FC DOT 6070608 AT charter DOT net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Ugh, top-posting...  Reformatted.

On Sat, 8 Apr 2006, Mark A. Ziesemer wrote:

> > From: Igor Peshansky <pechtcha <at> cs.nyu.edu>
> > Subject: Re: sshd_conf and AllowGroups - how to make work with non-primary
> > groups?
> > Newsgroups: gmane.os.cygwin
> > Date: 2006-03-01 16:55:50 GMT (5 weeks, 3 days and 19 minutes ago)
> >
> > On Tue, 28 Feb 2006, Mark A. Ziesemer wrote:
> >
> > > "Igor Peshansky" <pechtcha <at> XX.XXX.XXX> wrote:
> >
> > > > On Mon, 27 Feb 2006, Mark A. Ziesemer wrote:
> > > >
> > > >> I, too, am trying to lock down ssh access.  Using OpenSSH's
> > > >> AllowGroups configuration option looks like it would fit my needs
> > > >> perfectly, but it doesn't work!  More specifically, it ends up
> > > >> denying all users, unless the user's PRIMARY group (as defined in
> > > >> /etc/passwd) is within AllowGroups.
> > > >>
> > > >> I already found and read the following related posts, none of which
> > > >> actually resolve the issue:
> > > >> http://www.cygwin.com/ml/cygwin/2003-03/msg00128.html
> > > >> http://www.cygwin.com/ml/cygwin/2000-03/msg00591.html
> > > >> http://thread.gmane.org/gmane.os.cygwin/73007 ("sshd_conf and local
> > > >> groups" started 12/31/2005)
> > > >>
> > > >> Using AllowUsers works as expected - but this is an administrative
> > > >> nightmare.  Ideally, I'd like to create a group called "SshUsers" and
> > > >> set "AllowGroups SshUsers".  This works, but only if I set the needed
> > > >> user accounts in /etc/passwd to use this as their primary group.
> > > >> Some users need their primary group to remain otherwise for other
> > > >> reasons...
> > > >>
> > > >> I'm guessing this is more of an issue with the Cygwin user commands
> > > >> than it is with the OpenSSH implementation.  I DID run both mkpasswd
> > > >> and mkgroup, and both my /etc/passwd and /etc/group files are
> > > >> populated. However, running "groups myuser" or "id -Gn myuser"
> > > >> returns only the primary group - "Domain Users".  The results are
> > > >> identical whether running bash locally or through an ssh connection.
> > > >>
> > > >> I'm currently running "CYGWIN_NT-5.2 z 1.5.20s(0.154/4/2) 20060227
> > > >> 13:07:35 i686 Cygwin", but have been able to reproduce this back to
> > > >> 1.5.18, etc...
> > > >>
> > > >> Any assistance would be greatly appreciated - thanks!
> > > >
> > > > Let's start here:
> > > >
> > > >> Problem reports:       http://cygwin.com/problems.html
> > > >
> > > > In particular, for the group to be recognized by Cygwin, it needs to
> > > > be in /etc/group.  I would guess that you're trying to set up a domain
> > > > group... You didn't say exactly what mkgroup options you used to
> > > > update /etc/group, so it may simply be that you're missing the
> > > > necessary groups there (and thus Cygwin is unable to determine group
> > > > membership).  But a proper problem report based on the above
> > > > guidelines (one that includes an attached output of "cygcheck -svr" on
> > > > your system) would allow us to track this down further.
> > >
> > > Requested cygcheck attached, along with my sshd_config, group, and
> > > passwd files.  (Files are from reproducing the issue on another box for
> > > privacy concerns, which explains why the Cygwin version is slightly
> > > different from my original post.)  In this example, all accounts are
> > > local, with no domain involved.
> > >
> > > Additionally, the following is logged to my Application Event Log:
> > >
> > > Source: sshd, Category: None, Event ID: 0, User: NT AUTHORITY\SYSTEM ...
> > > The following information is part of the event: sshd: PID 1504: User
> > > MyUser from TestBox not allowed because none of user's groups are listed
> > > in AllowGroups.
> >
> > Ah, ok, so it's not a permissions issue.
> >
> > > I do believe I misunderstood how the "groups" and "id" commands were
> > > working.  I see that running "groups" without the username displays all
> > > groups for the current user (not all groups on the system), where "group
> > > MyUser" displays only the primary group.  Some test output:
> > >
> > > MyUser <at> winxpsp2base ~
> > > $ groups
> > > None root Administrators Users SshUsers
> > >
> > > MyUser <at> winxpsp2base ~
> > > $ id
> > > uid=1004(MyUser) gid=513(None)
> > > groups=0(root),513(None),544(Administrators),545(Users),1005(SshUsers)
> > >
> > > MyUser <at> winxpsp2base ~
> > > $ groups MyUser
> > > MyUser : None
> > >
> > > MyUser <at> winxpsp2base ~
> > > $ id -Gn MyUser
> > > None
> >
> > Not surprising, as "groups" essentially calls "id -Gn".
> >
> > > I'm guessing the OpenSSH sshd service must run some form of the later
> > > pair, which returns only the primary group, and not all associated
> > > Windows groups...
> >
> > This may be true (i.e., groups aren't listed properly)...  If you want to
> > strip down sshd code to just the piece that queries for the groups, run
> > that on Linux and Cygwin and demonstrate inconsistent results, I'm sure
> > Corinna would be interested in such a testcase.
>
> Running these commands under a real distro returns all groups as
> expected, so Cygwin is definitely behaving differently...
>
> I think I found part of the problem...
>
> I found the source for "id" which calls either "getgroups()" or
> "getugroups()" depending upon the usage (if passed without or with a
> specific username, respectively).  getugroups() is the one with the
> problem.  It uses setgrent() / getgrent() / endgrent(), and the list of
> groups returned from getgrent() is always coming back empty.
>
> All I can find for these last functions are the header declarations - no
> source.  It's looking like a problem with the implementation of
> getgrent().
>
> How can I track this down further, or otherwise go about getting this
> fixed?

setgrent()/getgrent()/endgrent() are implemented in Cygwin itself (in
winsup/cygwin/grp.cc).  But as I said before -- if you can boil it down to
one simple testcase that behaves differently on Linux and Cygwin, I'm sure
the Cygwin developers would be interested in seeing it.
HTH,
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/