This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Wich privileges required by ssh-host-config running user?


> 
> Because your are bound by the laws of ntfs access control 
> entrys. Having rights to write to a file doesn't mean you are 
> allowed to change its owner. You need permissions to change 
> the directory the files are in.
> And getting this right is easier in windows than in cygwin.
> Use cacls to look at etc and the files.
> 
> 

Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by
the setup process. The ssh* files are created by the ssh-host-config script.

I know that the problem is with ACLs in the NTFS files but I would like to
know why this problem only occurs in these servers (casually all of them are
in a windows domain). Does the process of joining a domain change something
in the local Administration account?

In a working server:

C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F

---> the script have changed the ACL to SYSTEM !!!

C:\cygwin\etc>cacls ssh_config
C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:)
                                             STANDARD_RIGHTS_ALL
                                             DELETE
                                             READ_CONTROL
                                             WRITE_DAC
                                             WRITE_OWNER
                                             SYNCHRONIZE
                                             STANDARD_RIGHTS_REQUIRED
                                             FILE_GENERIC_READ
                                             FILE_GENERIC_WRITE
                                             FILE_GENERIC_EXECUTE
                                             FILE_READ_DATA
                                             FILE_WRITE_DATA
                                             FILE_APPEND_DATA
                                             FILE_READ_EA
                                             FILE_WRITE_EA
                                             FILE_EXECUTE
                                             FILE_READ_ATTRIBUTES
                                             FILE_WRITE_ATTRIBUTES

                         SERVEROK\None:R
                         Everyone:R

In the problematic servers (the ACLs are the default ones because the
ssh-host-config script can't change them):

C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F

---> The Default ACLs of the files created by ssh-host-config (Administrator
doesn't have full control over the files; but Administrator is the owner of
the files)

C:\cygwin\etc>cacls sshd_config
C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:)
                                              STANDARD_RIGHTS_ALL
                                              DELETE
                                              READ_CONTROL
                                              WRITE_DAC
                                              WRITE_OWNER
                                              SYNCHRONIZE
                                              STANDARD_RIGHTS_REQUI
                                              FILE_GENERIC_READ
                                              FILE_GENERIC_WRITE
                                              FILE_READ_DATA
                                              FILE_WRITE_DATA
                                              FILE_APPEND_DATA
                                              FILE_READ_EA
                                              FILE_WRITE_EA
                                              FILE_READ_ATTRIBUTES
                                              FILE_WRITE_ATTRIBUTES

                          SERVERWRONG\None:(special access:)
                                     READ_CONTROL
                                     SYNCHRONIZE
                                     FILE_GENERIC_READ
                                     FILE_READ_DATA
                                     FILE_READ_EA
                                     FILE_READ_ATTRIBUTES

                          Everyone:(special access:)
                                   READ_CONTROL
                                   SYNCHRONIZE
                                   FILE_GENERIC_READ
                                   FILE_READ_DATA
                                   FILE_READ_EA
                                   FILE_READ_ATTRIBUTES

So, which RIGHTS need the Administrator account to be able to change the
owner of a file?

Thank you.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]