This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: TEST RELEASE: Cygwin 1.7.34-002


On 12/12/2014 8:49 AM, Michael DePaulo wrote:
On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
I finally released another TEST version of the next upcoming Cygwin
release.  The version number is 1.7.34-002.

I *think* I am experiencing a very bad regression.

These are the Windows permissions on my ~/.ssh/id_rsa file:
C:\cygwin\home\mike\.ssh>icacls id_rsa
id_rsa NT AUTHORITY\SYSTEM:(F)
        DEPAULO\mike:(R,W,D,WDAC,WO)

Under cygwin 1.7.33-2, I am able to use the file fine:

mike@executor ~
$ uname -a
CYGWIN_NT-6.3-WOW64 executor 1.7.33-2(0.280/5/3) 2014-11-13 15:45 i686 Cygwin

mike@executor ~
$ ssh galactica
Enter passphrase for key '/home/mike/.ssh/id_rsa':
Last login: Fri Dec 12 08:36:39 2014 from executor.depaulo.org
mike@galactica:~ :) [1] $ exit
logout
Connection to galactica closed.

mike@executor ~
$ cd .ssh

mike@executor ~/.ssh
$ ls -latr id_rsa
-rw------- 1 mike mkpasswd 1743 Dec  7  2013 id_rsa


But under 1.7.34-002, I get a permissions error:

mike@executor ~
$ uname -a
CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cygwin

mike@executor ~
$ ssh galactica
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private_type: bad permissions
mike@galactica's password:


mike@executor ~
$ cd .ssh

mike@executor ~/.ssh
$ ls -latr id_rsa
-rw-rwx---+ 1 mike Domain Users 1743 Dec  7  2013 id_rsa

This isn't a regression. It's a deliberate change, so that Cygwin now takes ACLs into account when calculating permissions. The simplest fix is to use the new feature of setfacl to remove the unwanted permissions. From the release announcement:

- Add -b/--remove-all option to setfacl to reduce the ACL to only the
  entries representing POSIX permission bits.

Ken


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]