X-Spam-Check-By: sourceware.org
Message-ID: <46B90A1A.50502@cygwin.com>
Date: Tue, 07 Aug 2007 20:11:06 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070505 Remi/2.0.0.0-3.fc4.remi Thunderbird/2.0.0.0 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: sshd not working on nineteen w2k servers (/var/empty must be  owned by root) works on five win2k servers, works with svc acct and works  on w2k3
References: <9a6449f40708071320r684726f8vd51c2ef6d274f00d AT mail DOT gmail DOT com>
In-Reply-To: <9a6449f40708071320r684726f8vd51c2ef6d274f00d@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Joel Harrison wrote:
> First of all, kudos to the cygwin team for making this work so well on
> my twenty w2k3 servers and thanks to all the contributors in the
> forums.
> 
> After installing cygwin on each server, I ran "ssh-host-config -y -c
> "binmode tty ntsec" -w '!pwforj00!' ; net start sshd" (no it's not my
> real pw) :-) This works great on 2k3, but on most w2k servers the
> services don't start and there's no log output. It does work on some
> of them though.

You don't need to pass the "binmode tty ntsec" flags along.  These are the
defaults.

If the above works just fine for you on W2K3, it's because this creates a
service account for you (sshd_server).  If it doesn't work on W2K, there's
one difference.  If you force it to create the service account for you
on these W2K machines, does that solve the problem?  If so, you have your
answer - LOCALSYSTEM on these machines is missing a key permission to
run as a service.  If not, you have a more basic problem on you hands.
You need to look at what other things you have running that could be
blocking the 'sshd' service.

Please do not try to start 'sshd' as your or any other user from the
raw command line.  This can mess up permissions on important files.  If
you want to try running 'sshd' from the command line, please use a
system-owned window (Google the Cygwin list for "system-owned" to find
pointers on how to do this).  Then you'll be running as LOCALSYSTEM
and you won't mess up the permissions.  Of course, on any system that
you already have tried to run 'sshd' from the command line without
being in a system-owned console, you're already hosed.  So try it on
a freshly minted machine.


> If I try an administrative account instead of localsystem, I get the
> /var/log/sshd output "/var/empty must be owned by root and not group
> or world-writable.", otherwise I get no log output even if I chmod 777
> /var/log.


Which suggests, as I mentioned above ,that your permissions are now
messed up because you started 'sshd' as 'adminstrator'.


> broken and working directory permissions both look the same by default:
> 
> $ ls -l
> total 0
> drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:14 cache
> drwxr-xr-x+ 2 SYSTEM  root        0 Aug  7 09:17 empty
> drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:13 lib
> drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:17 log
> drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 run
> drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 tmp
> 
> One way I've found to make it work is to chown /var/empty to an
> administrator account


Yep, that's not going to work in the long haul.


> $ /usr/sbin/sshd -D
> /var/empty must be owned by root and not group or world-writable.
> 
> $ chown g000283 empty/
> 
> $ /usr/sbin/sshd.exe -D
> (works)
> 
> $ net start sshd
> The CYGWIN sshd service is starting.
> The CYGWIN sshd service could not be started.
> 
> The service did not report an error.
> 
> More help is available by typing NET HELPMSG 3534.


Expected.  See above.


> 
> If I use the same admin credentials as the service account the service
> begins working.
> 
> $ net start sshd
> The CYGWIN sshd service is starting.
> The CYGWIN sshd service was started successfully.
> 
> So it seems cygwin doesn't feel that SYSTEM is an administrator aka
> root on most of these sytems by default, or that LOCALSYSTEM has the
> needed "root" permissions.  Why would that be?  Working around this is
> (after much struggle) a two step process now.. 1> chown administrator
> /var/empty, 2> set service account to admin acct.


The only reason I can think of is that the permissions were removed from
the SYSTEM account on those systems.  See the openssh.README file in
'/usr/share/doc/Cygwin' for the required permissions to switch user
contexts.  Make sure LOCALSYSTEM has these.  If that's not enough, check the
differences in permissions between the W2K machines that do and don't work.

<snip>


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/