DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type; q=dns; s=default; b=nuCMe
	5u1vtAE/C//aWu2xAC0kC5m09znRQm2Q6stt460p9KU3JilyDiVGflaR08g7huW/
	Qcbeaq7zVPhLD9fr2uPey6GRH/SOS/FTSEX+g6plwJiPTq0VfKWP0GTutGPZfq17
	I1FYpg9iKEM7MB5g+SaFFc5NCSg2vSqivwNVY0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
From: Achim Gratz <Stromeko AT nexgo DOT de>
To: cygwin AT cygwin DOT com
Subject: Re: Domain User restrictions - Windows server 2012 R2
References: <9e8b10829e18453f9e3af064a0d67c7c AT ATGRZSW1694 DOT avl01 DOT avlcorp DOT lan>
Date: Sat, 06 Jul 2019 21:35:06 +0200
In-Reply-To: <9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan>	(Daniel Bergbauer's message of "Wed, 3 Jul 2019 08:41:23 +0000")
Message-ID: <8736jjt0r9.fsf@Rainer.invalid>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain

Bergbauer, Daniel AVL/DE via cygwin writes:
> Informations:
> *       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
> *       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
> *       Added every Domain User to passwd file.

Lots of cargo-culting there.  Get rid of the group and passwd files and
use AD instead (it's the default anyway).  I'd avoid password-based
logins with SSH and go public key only in your setup (unless the users
need to be able to use their credentials on the network).

> *       Mapped following directories in fstab file:
> 1.      C:/tools/cygwin /
> 2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
> 3.      C:/tools/cygwin/bin /usr/bin
> 4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

None of this is really needed, but you could keep 2. (it's slightly
better to use /etc/fstab.d/username for that).

> * Created RSA keys for EVERY user on the user's machine and put it
> into his/her home folder on the server with ssh-copy-id
> ... (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).  Everyone is now
> able to connect to his folder on the server without giving his/her
> windows password again (I had to do this because my tool to synch
> works with 'rsync')

So, disallow password-based logins.

> What I want now is, to restrict every user, who connects to the server
> via ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to
> login normally via ssh but is also able to cd for example into
> C:\Windows or worse into C:\projects\'other username'\'absolute secret
> project'.

There is no way to restrict the user from exercising permissions that he
already has.  So you'd need to make sure that the DACL on the user
directories are set up so that nobody can peek into another users
directory.  Pls you must arrange it so that the user can not change the
DACL.  There is no chroot or similar on Windows.  You could perhapos try
if Windows containers or a VM provide enough isolation, but that may not
be a workable option on Server 2012 and eat too many resources depending
on the number of users.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple