This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Wich privileges required by ssh-host-config running user?

Manel Rodero wrote:
Because your are bound by the laws of ntfs access control entrys. Having rights to write to a file doesn't mean you are allowed to change its owner. You need permissions to change the directory the files are in.
And getting this right is easier in windows than in cygwin.
Use cacls to look at etc and the files.




Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by
the setup process. The ssh* files are created by the ssh-host-config script.

I know that the problem is with ACLs in the NTFS files but I would like to
know why this problem only occurs in these servers (casually all of them are
in a windows domain). Does the process of joining a domain change something
in the local Administration account?

You want to try with the domain administrator account, not the local administrator.
If you're logging on as administrator, and log on to is set to the domain, then you are already doing so and something most unusual is occuring - suggestive of an admin removing administrator access to the root filesystem, or to certain parts of it.


In a working server:

C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F

---> the script have changed the ACL to SYSTEM !!!

C:\cygwin\etc>cacls ssh_config
C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:)
                                             STANDARD_RIGHTS_ALL
                                             DELETE
                                             READ_CONTROL
                                             WRITE_DAC
                                             WRITE_OWNER
                                             SYNCHRONIZE
                                             STANDARD_RIGHTS_REQUIRED
                                             FILE_GENERIC_READ
                                             FILE_GENERIC_WRITE
                                             FILE_GENERIC_EXECUTE
                                             FILE_READ_DATA
                                             FILE_WRITE_DATA
                                             FILE_APPEND_DATA
                                             FILE_READ_EA
                                             FILE_WRITE_EA
                                             FILE_EXECUTE
                                             FILE_READ_ATTRIBUTES
                                             FILE_WRITE_ATTRIBUTES

                         SERVEROK\None:R
                         Everyone:R

In the problematic servers (the ACLs are the default ones because the
ssh-host-config script can't change them):

C:\cygwin\etc>cacls .
C:\cygwin\etc Everyone:(OI)(CI)F

---> The Default ACLs of the files created by ssh-host-config (Administrator
doesn't have full control over the files; but Administrator is the owner of
the files)

C:\cygwin\etc>cacls sshd_config
C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:)
                                              STANDARD_RIGHTS_ALL
                                              DELETE
                                              READ_CONTROL
                                              WRITE_DAC
                                              WRITE_OWNER
                                              SYNCHRONIZE
                                              STANDARD_RIGHTS_REQUI
                                              FILE_GENERIC_READ
                                              FILE_GENERIC_WRITE
                                              FILE_READ_DATA
                                              FILE_WRITE_DATA
                                              FILE_APPEND_DATA
                                              FILE_READ_EA
                                              FILE_WRITE_EA
                                              FILE_READ_ATTRIBUTES
                                              FILE_WRITE_ATTRIBUTES

                          SERVERWRONG\None:(special access:)
                                     READ_CONTROL
                                     SYNCHRONIZE
                                     FILE_GENERIC_READ
                                     FILE_READ_DATA
                                     FILE_READ_EA
                                     FILE_READ_ATTRIBUTES

                          Everyone:(special access:)
                                   READ_CONTROL
                                   SYNCHRONIZE
                                   FILE_GENERIC_READ
                                   FILE_READ_DATA
                                   FILE_READ_EA
                                   FILE_READ_ATTRIBUTES

So, which RIGHTS need the Administrator account to be able to change the
owner of a file?

Thank you.



--

Spinning complacently in the darkness, covered and blinded by a blanket
of little lives, false security has lulled the madness of this world
into a slumber. Wake up! An eye is upon you, staring straight down and
keenly through, seeing all that you are and everything that you will
never be. Yes, an eye is upon you, an eye ready to blink. So face
forward, with arms wide open and mind reeling. Your future has
arrived... Are you ready to go?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]