X-Spam-Check-By: sourceware.org
Message-ID: <9a6449f40708071320r684726f8vd51c2ef6d274f00d@mail.gmail.com>
Date: Tue, 7 Aug 2007 16:20:56 -0400
From: "Joel Harrison" <harr2969 AT gmail DOT com>
To: cygwin AT cygwin DOT com
Subject: sshd not working on nineteen w2k servers (/var/empty must be owned by root) works on five win2k servers, works with svc acct and works on w2k3
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

First of all, kudos to the cygwin team for making this work so well on
my twenty w2k3 servers and thanks to all the contributors in the
forums.

After installing cygwin on each server, I ran "ssh-host-config -y -c
"binmode tty ntsec" -w '!pwforj00!' ; net start sshd" (no it's not my
real pw) :-) This works great on 2k3, but on most w2k servers the
services don't start and there's no log output. It does work on some
of them though.

If I try an administrative account instead of localsystem, I get the
/var/log/sshd output "/var/empty must be owned by root and not group
or world-writable.", otherwise I get no log output even if I chmod 777
/var/log.

broken and working directory permissions both look the same by default:

$ ls -l
total 0
drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:14 cache
drwxr-xr-x+ 2 SYSTEM  root        0 Aug  7 09:17 empty
drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:13 lib
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:17 log
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 run
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 tmp

One way I've found to make it work is to chown /var/empty to an
administrator account

$ /usr/sbin/sshd -D
/var/empty must be owned by root and not group or world-writable.

$ chown g000283 empty/

$ /usr/sbin/sshd.exe -D
(works)

$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

If I use the same admin credentials as the service account the service
begins working.

$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

So it seems cygwin doesn't feel that SYSTEM is an administrator aka
root on most of these sytems by default, or that LOCALSYSTEM has the
needed "root" permissions.  Why would that be?  Working around this is
(after much struggle) a two step process now.. 1> chown administrator
/var/empty, 2> set service account to admin acct.

How can we make this work reliably without a service account? And
then, how can we make it work out of the box? :-) Thoughts?

$ cat /etc/passwd (from broken system)
SYSTEM:*:18:544:,S-1-5-18::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused_by_nt/2000/xp:1001:513:U-GTI0W043\Administrator,S-1-5-21-14
17001333-920026266-839522115-1001:/home/Administrator:/bin/bash
Guest:unused_by_nt/2000/xp:501:513:U-GTI0W043\Guest,S-1-5-21-1417001333-92002626
6-839522115-501:/home/Guest:/bin/bash
g000283:unused_by_nt/2000/xp:14045:10545:g000283,U-ADBONET\g000283,S-1-5-21-1844
237615-2049760794-682003330-4045:/cygdrive/c/Documents and Settings/g000283:/bin
/bash
sshd:unused_by_nt/2000/xp:1008:513:sshd privsep,U-GTI0W043\sshd,S-1-5-21-1417001
333-920026266-839522115-1008:/var/empty:/bin/false


Other comments and stuff I've tried--------------

chown SHOULD be unneeded since SYSTEM owns the directory by default?

I've tried chmod 700 /var/empty (per the symptom) on some of the
systems with no results.

"root" is a group name and should be unimportant as long as the user is SYSTEM.

On the _working_ w2k systems if I stop the sshd service and attempt to
start it from the command line it gives the same error as the broken
ones (re /var/empty error), however it starts ok as a service. ?!?!

_working_ /var $ /usr/sbin/sshd.exe -D
/var/empty must be owned by root and not group or world-writable.

_working_ /var $ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

-----


passwd from working system: (looks pretty much the same to me)
$ cat /etc/passwd
SYSTEM:*:18:544:,S-1-5-18::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused_by_nt/2000/xp:1001:513:U-GTI0W043\Administrator,S-1-5-21-14
17001333-920026266-839522115-1001:/home/Administrator:/bin/bash
Guest:unused_by_nt/2000/xp:501:513:U-GTI0W043\Guest,S-1-5-21-1417001333-92002626
6-839522115-501:/home/Guest:/bin/bash
g000283:unused_by_nt/2000/xp:14045:10545:g000283,U-ADBONET\g000283,S-1-5-21-1844
237615-2049760794-682003330-4045:/cygdrive/c/Documents and Settings/g000283:/bin
/bash
sshd:unused_by_nt/2000/xp:1008:513:sshd privsep,U-GTI0W043\sshd,S-1-5-21-1417001
333-920026266-839522115-1008:/var/empty:/bin/false





output of getfacl /var/* on broken system:

g000283 AT gti0w043 /var
$ getfacl *
# file: cache
# owner: g000283
# group: mkgroup-l-d
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
group:Power Users:rwx
mask:rwx
other:---
default:user::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:group:Power Users:rwx
default:group:mkgroup-l-d:r-x
default:mask:rwx

# file: empty
# owner: SYSTEM
# group: root
user::rwx
group::r-x
mask:rwx
other:r-x
default:user::rwx
default:group::r-x
default:other:r-x

# file: lib
# owner: g000283
# group: mkgroup-l-d
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
group:Power Users:rwx
mask:rwx
other:---
default:user::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:group:Power Users:rwx
default:group:mkgroup-l-d:r-x
default:mask:rwx

# file: log
# owner: g000283
# group: mkgroup-l-d
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
group:Power Users:rwx
mask:rwx
other:---
default:user::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:group:Power Users:rwx
default:group:mkgroup-l-d:r-x
default:mask:rwx

# file: run
# owner: g000283
# group: mkgroup-l-d
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
group:Power Users:rwx
mask:rwx
other:---
default:user::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:group:Power Users:rwx
default:group:mkgroup-l-d:r-x
default:mask:rwx

# file: tmp
# owner: g000283
# group: mkgroup-l-d
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
group:Power Users:rwx
mask:rwx
other:---
default:user::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:group:Power Users:rwx
default:group:mkgroup-l-d:r-x
default:mask:rwxcd

--------------

most days I wish everything ran on unix. It's not easy making windows
behave like a nice unix OS.  :-)

--Joel

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/