X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.5 required=5.0 	tests=AWL,BAYES_00,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
Message-ID: <4B429E75.7040606@cygwin.com>
Date: Mon, 04 Jan 2010 21:05:41 -0500
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090320 Remi/2.0.0.21-1.fc8.remi Lightning/0.9 Thunderbird/2.0.0.21 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.7.1: problem with public key authentication on domain accounts
References: <18e742db1001041142j5322d164t2a83f2a3ef0138d4 AT mail DOT gmail DOT com> <loom DOT 20100105T001743-66 AT post DOT gmane DOT org> <4B427F97 DOT 6030806 AT cygwin DOT com> <loom DOT 20100105T020640-981 AT post DOT gmane DOT org>
In-Reply-To: <loom.20100105T020640-981@post.gmane.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 01/04/2010 08:29 PM, Thomas Nisbach wrote:
> Larry Hall (Cygwin<reply-to-list-only-lh<at>  cygwin.com>  writes:
>
>>
>> On 01/04/2010 06:18 PM, Thomas Nisbach wrote:
>>> Bob Burger<burgerrg<at>   gmail.com>   writes:
>>> ....
>>> Any ideas?
>>
>> Are you using LSA?  Have you read the security sections of the Users Guide?
>> <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview>
>>
>
> I just read a lot in the guide, since it was hardly recommended before
> updating to 1.7.1-1. After reading the security section I am quite sure I
> never runned cyglsa-config (/bin/cyglsa also does not exist).

There's probably very little reason to not go the "cyglsa" route, other than 
the
the fact that ssh-host-config doesn't configure 'sshd' to use it. ;-)  It 
might even
be the panacea for all those who are used to running 'sshd' on Linux where
special permissions aren't necessary and it's common to run it as 'root'
(Administrator in Windows is the pseudo equivalent) from a command line,
at least for debugging.  This has caused many a problem for these people
on Cygwin because you cannot do this and easily get it to work afterward.
You're in this boat.  You either need to start over from scratch (i.e. remove
Cygwin and install again) or you need to go through 'ssh-host-config' and make
sure your permissions/ownerships are set the way it would set them.

>>> PS: I stopped Google Desktop (known as application from BLODA list), but
> this
>>> was not the problem.
>>
>> BLODA is often not removed from having an effect without uninstalling the
>> offending package.  I can't say whether that's a requirement for Google
>> Desktop however.
>>
> There was a thread at Google (http://groups.google.com/group/Google-
> Desktop_Something-Broken/browse_thread/thread/0dabf807fbdf2d7f) I
> participated. We found, that in Google Desktop v5.8 the additional preloading
> of DLLs into any app's memory corrupted cygrunsrv (probably at fork()).
> Stopping GD and renaming the regkey
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
> \Windows\AppInit_DLLs was enough to make cygrunsrv/sshd running - no
> deinstallation/reboot was necessary. This was exactly what I've done this
> time - even I now run GD v5.9, which operated fine with cygrunsrv/sshd until I
> updated to CYGWIN v1.7.1.

Yep, that's fine.  Removing the DLL injection is enough here.  Deinstallation
gets you that by default but isn't a requirement.

> Additionally I found a problem with /var/empty permissions when using SSH
> privilege separation (also worked before). Even when I chmod 711 /var/empty,
> create a 'root' user and chown root:root /var/empty I get '/var/empty must be
> owned by root and not group or world-writable'. I entertain suspicion that
> there happened something stupid with the filesystem permissions for processes
> running as SYSTEM and/or background process...

See the comments I made above about "cyglsa" and 'root'.  In this case, 'root',
or its relative Windows equivalent, 'Administrators', is not what you want. 
  'SYSTEM'
is what you want (on XP, cygserver is what you want for later Windows versions).


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple