This is the mail archive of the
cygwin
mailing list for the Cygwin project.
RE: Wich privileges required by ssh-host-config running user?
- From: "Manel Rodero" <manel at fib dot upc dot edu>
- To: <cygwin at cygwin dot com>
- Date: Wed, 18 Jan 2006 16:05:41 +0100
- Subject: RE: Wich privileges required by ssh-host-config running user?
>
> Because your are bound by the laws of ntfs access control
> entrys. Having rights to write to a file doesn't mean you are
> allowed to change its owner. You need permissions to change
> the directory the files are in.
> And getting this right is easier in windows than in cygwin.
> Use cacls to look at etc and the files.
>
>
Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by
the setup process. The ssh* files are created by the ssh-host-config script.
I know that the problem is with ACLs in the NTFS files but I would like to
know why this problem only occurs in these servers (casually all of them are
in a windows domain). Does the process of joining a domain change something
in the local Administration account?
In a working server:
C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F
---> the script have changed the ACL to SYSTEM !!!
C:\cygwin\etc>cacls ssh_config
C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
SERVEROK\None:R
Everyone:R
In the problematic servers (the ACLs are the default ones because the
ssh-host-config script can't change them):
C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F
---> The Default ACLs of the files created by ssh-host-config (Administrator
doesn't have full control over the files; but Administrator is the owner of
the files)
C:\cygwin\etc>cacls sshd_config
C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUI
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
SERVERWRONG\None:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
So, which RIGHTS need the Administrator account to be able to change the
owner of a file?
Thank you.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/