This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd, /etc/hosts.allow, & Alternate Access Methods


Igor Peshansky wrote:

On Thu, 23 Feb 2006, Tim Daneliuk wrote:


Igor Peshansky wrote:


On Thu, 23 Feb 2006, Tim Daneliuk wrote:


<SNIP>


Same reason -- Cygwin isn't really ACL-aware.  You can also restore
the original ACLs by running something like "getfacl hosts.allow |
setfacl -f - hosts.allow.orig" (assuming the owner stays the same).


-rwx------+ 1 tundra None  200 Feb 23 00:15 hosts.allow
-rwx------  1 tundra None  200 Feb 23 00:15 hosts.allow.orig
-rwx------+ 1 tundra None  407 Feb 23 00:15 hosts.deny

These files should really be owned by SYSTEM (or whatever user sshd runs as).

Ahh - that was the hint I needed. But here is something very strange:


As installed, hosts.allow is owned by the installing user - in this
case, "tundra" who is also an Administrator on the system.


As installed by what? I couldn't find anything that generates that file.



I'm not sure.  I did a *complete* install of cygwin.  I dunno if it was
installed then, or when I ran ssh-host-config ...

sshd properly recognizes the rule found in this file.


That's because it simply checks that a) permissions are no more than 700,
and b) that the file is readable.  Both are satisfied, even though the
owner is wrong.


HOWEVER, if I edit the file (to change allow rules), I *have* to chown
it to SYSTEM or ssh access outside localhost fails.


Thank your editor which makes a copy.  Once you make a copy, Cygwin only
copies the POSIX permissions (which are 700), so that the file is no
longer readable by SYSTEM.  You can use the "getfacl | setfacl" trick to
get the ACLs back.


Ah, OK that explains it...


Stranger still is that once the file is owned by SYSTEM, it cannot be
further edited because I get a "Permission Denied" on it with emacs or
vi - strange considering that I am an Administrator on the system.


Why is this strange?  Normally you are not supposed to see files that
belong to other users (and SYSTEM *is* another user).  You can grab the
ownership of the file and edit it, or make it world readable/writable and
edit it.  Just don't forget to change it back to the way it was, or sshd
will complain.


P.S. Did I mention that I hate the Windows security model ;)


Most of the above is not really due to Windows -- it would happen on any
system that has ACLs.
	Igor

Point taken.


(And thanks for your help ;)
--
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/


-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]