This is the mail archive of the
mailing list for the Cygwin project.
Re: OpenSSH + Public Key Auth + ntsec
- From: John <cras at werd dot net>
- To: andrew brian clegg <a dot clegg at mail dot cryst dot bbk dot ac dot uk>
- Cc: cygwin at cygwin dot com
- Date: Tue, 8 Jul 2003 13:39:53 -0500 (EST)
- Subject: Re: OpenSSH + Public Key Auth + ntsec
Here is the corruption as explained by my NT admin:
--- Begin ---
Our current ACL is:
(Owner) : Administrators
Administrators : Full Control
SYSTEM : Full Control
ServiceAccount : Full Control
Currently, whatever ssh/scp touches - the following ACL gets applied:
(Owner) : ServiceAccount
Administrators : none (no permissions set)
SYSTEM : none (no permissions set)
ServiceAccount : none (no permissions set)
CREATOR GROUP : none (no permissions set)
CREATOR OWNER : none (no permissions set)
Everyone : Read/Write/Execute
None : none (no permissions set)
--- End ---
Also, when trying to take ownership of the files in windows (as
administrator), we get the following error: "The security descriptor
structure is invalid". The fix for this was to run xcacls.exe and that
allowed us to take ownership of files and directories.
Obviously, we're using ssh/scp for moving files around for an automated
process. When files have been pushed to an ssh server, sometimes they are
not accessable by the user that scp'd them in the first place and our jobs
cannot continue. When I first noticed this, I logged in via ssh and saw
these files were owned by the creator but had 0000 perms. I did a "chmod
0644" and our automated process was then able to continue. This happens
sporadically on some of our machines running cygwin. A work around for
this is to "chmod 0644 <filename>" for every file before we do any further
processing of the file (move, copy, open, etc).
So there are two issues, not sure if they are directly related. One, the
ACL's are getting changed to a point where an administrator can't regain
ownership through normal methods. And two, when files are written,
sometimes they get 0000 perms.
We have reformatted these machines and done fresh installs and yet the
corruption happens all over again on every machine using cygwin & ssh.
If there were a way to not use ntsec and use inherited permissions via
nontsec, that would be stellar.
On Tue, 8 Jul 2003, andrew brian clegg wrote:
> On Tue, 8 Jul 2003, John wrote:
> > CYGWIN="binmode ntsec tty".
> > When making directories via ssh:
> > ssh <server> "mkdir /cygdrive/d/temp/test"
> > or when copying files via scp:
> > scp file.txt <server>:/cygdrive/d/temp/test
> > the files are given the "ntsec" permissions from cygwin and are corrupting
> > the NTFS filesystem.
> Corrupting in what sense?
> I use ssh with ntsec set on and haven't seen any corruption yet, I should
> certainly like to know about it if it's likely to happen. Admittedly my
> setup is with password rather than PK authentication though.
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html