X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=wp03/nIBrhEp9DMC
	nUD/9zA75R5GWCl+PMG31E7+qDSmIxylOtpkj+RAmetsTNN6qVZgK4PnMhPq46Cy
	A9pu8Y6RwJlILVKKJds1PQfERGouTcOz61eA7k2lQLIuUg8PdDEIvhFajLSzDNre
	IUSnxa8QsXztCRabPQs1AmfW8NE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=SxfRRtia9Vv+WbRXUbMuZ0
	jo9/Q=; b=hvFrLwJuGJd/Zke3oVz9hUE2FYehezyFJJ6wqoGjiFGEAQkae9b9ap
	Sl8h0JKiwfieBFcUnRQBg+O5OKLv+ZJ1cgRtGzhTEQ+vBmPngGdSTPNr+XcGSTD1
	HSQw4/b6WhW7vTahtZz0IgtC13iDsVcMHDZHso0noBXf0C1ssD2IM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1175, userid, five, communication
X-HELO: mail-wm0-f45.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:subject:to:references:from:message-id:date         :user-agent:mime-version:in-reply-to:content-transfer-encoding;        bh=rSo6Y/kQpW6wcBcWabFxXtlD8LSiTmUcDZZ01l5lZ/4=;        b=Ymu8YSoga98svJTIiPWSFz+81xMTFVKL+Dmr718RhUw+rBEU3Bik/IV6nVDYU2Gglp         YV5T8RUkgO7KlDFpw7U8Y+MA1Gf1pPzPp+/4ZGEKV87L8W2guedzaHhFS0MkiJg5ZSJj         d5Hz3Vvo3EXD/20bwCsbKEnvpDi4vXeMO4OWTzfMRDHKwG5dyVaH69N3q9bIbpbYYqwF         j84RFWISEp+FAWcTPGL+jOq6WiD/XwpeQpwqFxpn2rMRndEGzHdrdb3ugaG2LzcrIY/b         3Bkp7dA3dSCrUplPwPAa0AbDHqDj5xiPOqceLepehu7MuPehPfgGclsEVd5IxLtDOPJD         LYKQ==
X-Gm-Message-State: AODbwcBaMriHHcsA0+lMxOR+fRG3U/SnUXOWfz7vF4HU2jY5cxG2Cqtk	ACjmQ2ttQ/TfKcNewYk=
X-Received: by 10.223.150.19 with SMTP id b19mr9784630wra.67.1496047172015;        Mon, 29 May 2017 01:39:32 -0700 (PDT)
Subject: Re: openssh: privilege separation no longer supported on Cygwin?
To: cygwin AT cygwin DOT com
References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl>
From: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Message-ID: <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com>
Date: Mon, 29 May 2017 10:39:28 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <d436698bbd53eef3cbdda788d4926109@xs4all.nl>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 29/05/2017 07:23, Houder wrote:
> Hi,
>
> Privilege separation in sshd defaults to "sandbox" (as far as
> I understand, "openssh" has implemented a new mechanism).
>
> ... now I remember Corinna writing, that 'sandbox will not be
> an option for Cygwin' ... or words to that effect.
>
> Does this mean, that under Cygwin, privilege separation is no
> longer possible?
>
> ... because, that is, I think, what I am seeing:
>
>  - the userid of child sshd is still 'cyg_server' ...
>  - and I get an elevated shell when I login ...
>
> Not what I expected ...
>
> Gr. Henri
>

Hi Houder,
please read the last Announcement

https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html

* This release deprecates the sshd_config UsePrivilegeSeparation
    option, thereby making privilege separation mandatory. Privilege
    separation has been on by default for almost 15 years and
    sandboxing has been on by default for almost the last five.


It seems you misunderstood the communication:
- the possibility to NOT use "privilege separation" is deprecated
- "privilege separation" will became mandatory

Regards
Marco


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple