Igor Peshansky wrote:
On Thu, 23 Feb 2006, Tim Daneliuk wrote:
Igor Peshansky wrote:
On Thu, 23 Feb 2006, Tim Daneliuk wrote:
<SNIP>
Same reason -- Cygwin isn't really ACL-aware. You can also restore
the original ACLs by running something like "getfacl hosts.allow |
setfacl -f - hosts.allow.orig" (assuming the owner stays the same).
-rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow
-rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig
-rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny
These files should really be owned by SYSTEM (or whatever user sshd
runs as).
Ahh - that was the hint I needed. But here is something very strange:
As installed, hosts.allow is owned by the installing user - in this
case, "tundra" who is also an Administrator on the system.
As installed by what? I couldn't find anything that generates that file.
I'm not sure. I did a *complete* install of cygwin. I dunno if it was
installed then, or when I ran ssh-host-config ...
sshd properly recognizes the rule found in this file.
That's because it simply checks that a) permissions are no more than 700,
and b) that the file is readable. Both are satisfied, even though the
owner is wrong.
HOWEVER, if I edit the file (to change allow rules), I *have* to chown
it to SYSTEM or ssh access outside localhost fails.
Thank your editor which makes a copy. Once you make a copy, Cygwin only
copies the POSIX permissions (which are 700), so that the file is no
longer readable by SYSTEM. You can use the "getfacl | setfacl" trick to
get the ACLs back.
Ah, OK that explains it...
Stranger still is that once the file is owned by SYSTEM, it cannot be
further edited because I get a "Permission Denied" on it with emacs or
vi - strange considering that I am an Administrator on the system.
Why is this strange? Normally you are not supposed to see files that
belong to other users (and SYSTEM *is* another user). You can grab the
ownership of the file and edit it, or make it world readable/writable and
edit it. Just don't forget to change it back to the way it was, or sshd
will complain.
P.S. Did I mention that I hate the Windows security model ;)
Most of the above is not really due to Windows -- it would happen on any
system that has ACLs.
Igor
Point taken.
(And thanks for your help ;)
--
----------------------------------------------------------------------------
Tim Daneliuk [EMAIL PROTECTED]
PGP Key: http://www.tundraware.com/PGP/
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
