On Apr 9 09:52, Corinna Vinschen wrote: > On Apr 6 22:37, Achim Gratz wrote: > > > > I've got a new server for Cygwin @work and wanted to get the sshd to run > > with StrictMode on (it's been off on the old server). Long story short, > > some accounts used for administrative tasks are contrained so that I > > need to store the authorized_keys file directly on the server, so I > > added /etc/ssh/%u/authorized_keys in front of the default > > .ssh/authorized_keys. Unfortunately that only works if the same > > administrative account has been used to install Cygwin itself, lest sshd > > declares the directory /etc/ssh unsafe (or use StrictMode=no). > > What exactly doesn't work? If it's the ownership of the dirs and > files, chown will do the trick, no? > > > In my reading of the refactored > > code it seems that the same effect could be achieved by defining > > PLATFORM_SYS_DIR_UID appropriately (although I would prefer if that was > > configurable somewhere in a file). But it seems that for Cygwin that > > symbol doesn't get defined at all? > > No, so far it's a special feature for AIX and HP/UX only. On these > platforms certain dirs and files are owned by the bin user with uid 2. > > The problem on Cygwin is that we don't have a fixed uid owning the > entire system paths. It always depends on the account used to create > the system dirs, which can vary from installation to installation. What > you could do is adding a passwd entry with uid 0 for the account > installing Cygwin and make sure that the files are always owned by this > account (chown). > > The only other way to fix this would be to define PLATFORM_SYS_DIR_UID > to be a function call on Cygwin, which checks the account for... what? > To be an admin account? That sounds quite relaxed, but I don't see > any other way. > > Something like this [...]
Please try if this patch to openssh will do the trick for you. I only
tested that it builds, but not if it works as desired.
From 6b493f7e9f5ab7c64fa56c84ea727d3d06a12c0f Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinsc...@redhat.com>
Date: Mon, 9 Apr 2018 12:56:31 +0200
Subject: [PATCH] cygwin: add function call to provide OS-specific
PLATFORM_SYS_DIR_UID
---
configure.ac | 1 +
openbsd-compat/bsd-cygwin_util.c | 25 +++++++++++++++++++++++++
openbsd-compat/bsd-cygwin_util.h | 1 +
3 files changed, 27 insertions(+)
diff --git a/configure.ac b/configure.ac
index 663062bef142..a5f68c367c92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -626,6 +626,7 @@ case "$host" in
file descriptor passing])
AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer
size])
AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain
backslash characters])
+ AC_DEFINE([PLATFORM_SYS_DIR_UID], cygwin_valid_sys_dir_owner(uid),
[System dirs owned by admin account])
# Cygwin defines optargs, optargs as declspec(dllimport) for historical
# reasons which cause compile warnings, so we disable those warnings.
OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 398a5f617af5..0f5bb1a4448a 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -33,6 +33,7 @@
#ifdef HAVE_CYGWIN
#include <sys/types.h>
+#include <grp.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
@@ -116,4 +117,28 @@ free_windows_environment(char **p)
free(p);
}
+/* Check if current account is administrative account (aka member of
+ * group 544 "Administrators")
+ */
+uid_t
+cygwin_valid_sys_dir_owner(uid_t uid)
+{
+ int ngrps = 0;
+ gid_t *grps = NULL;
+ struct passwd *pw;
+
+ pw = getpwuid(uid);
+ if (!pw)
+ return 0;
+
+ if (getgrouplist(pw->pw_name, pw->pw_gid, grps, &ngrps) < 0) {
+ grps = (gid_t *) alloca(sizeof (gid_t) * ngrps);
+ if (getgrouplist(pw->pw_name, pw->pw_gid, grps, &ngrps) < 0)
+ return 0;
+ while (--ngrps >= 0)
+ if (grps[ngrps] == 544)
+ return uid;
+ }
+ return 0;
+}
#endif /* HAVE_CYGWIN */
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 9cef694b9a7c..e2d53f47defe 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -44,6 +44,7 @@ typedef void *HANDLE;
windows headers, so we have to define them here explicitely. */
extern HANDLE cygwin_logon_user (const struct passwd *, const char *);
extern void cygwin_set_impersonation_token (const HANDLE);
+extern uid_t cygwin_valid_sys_dir_owner(uid_t uid);
#include <sys/cygwin.h>
#include <io.h>
--
2.14.3
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
signature.asc
Description: PGP signature
