X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C46F5385802F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1681503244; bh=Rkjf9CL5I6eZZSwSKb0J3I4QYXGxSP5WSIqnCY1HFrc=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=CVkbKXyM2PNfnEa9S/XjpXwvWs+XfCU9XxQfL3PG9aIp8RbcR81IZ0l+LhmsAFUld jmE3r5OMkpVZfZGz88WnAZVtjrb2Bc81prus8wrajNR94wN3A7pkEjomfChbdaLMZS JwU6F59/+WY6GJnPFn6gqlvoF1BkO7pcydhqysoc= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0E2043858C54 Date: Fri, 14 Apr 2023 22:13:48 +0200 To: cygwin AT cygwin DOT com Subject: Re: Permissions question / issue Message-ID: Mail-Followup-To: cygwin AT cygwin DOT com References: <88697a53-26db-6969-2c18-3d6133d248c1 AT cs DOT umass DOT edu> <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820 AT cs DOT umass DOT edu> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <87c859fc-0bfb-e6cc-a29e-29ba4eaa1820@cs.umass.edu> X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Apr 14 15:43, Eliot Moss via Cygwin wrote: > On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote: > > On Apr 13 23:03, Eliot Moss via Cygwin wrote: > > > Dear cygwin'ers - > > > > > > I seem to be caught in a bind with the Cygwin permissions setup. > > > > > > ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600). > > > > Huh? No, it doesn't, usually. My file has perms rw-r--r-- (644) and > > that's perfectly fine. Also, I tried the same setting as you did, > > i. e. > > > > $ getfacl config > > # file: config > > # owner: corinna > > # group: vinschen > > user::rw- > > group::--- > > group:SYSTEM:r-x > > mask::r-x > > other::--- > > > > And ssh still works as desired and does not throw any error. > > > > You can also add g:SYSTEM:r-x to the directories and it should have > > no negative side effect. I just did that with ~/.ssh and ssh still > > works as expected. > > Of course you're entirely right, Corinna! Not sure how I got it > in my head that it needed 600 permissions. Thank you for clarifying! > > However ... ssh *does* demand that key files be accessible only by > the user. Hmm, right. I should have thought of that. > Is there a solution - if necessary using Windows tools - > to make ssh happy while allowing a SYSTEM backup tool to back up > the file? Well, you could run a script before and after running the backup tool which adds/removes SYSTEM perms to the affected files. Alternatively you could do a fake from inside the Cygwin env: - Move ~/.ssh to ~/.ssh-realperms - Set the permissions in ~/.ssh-realperms as desired so they are secure *and* allow the backup tool to operate on them. - Add a mount point to /etc/fstab.d/eliot: C:/cygwin64/home/eliot/.ssh-realperms /home/eliot/.ssh noacl 0 0 I didn't try that myself yet, but that should do what you want, because ssh checks if the underlying filesystem (or mount point) accepts POSIX permissions. If not, certain permission checks are skipped. HTH, Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple