This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: sshd, /etc/hosts.allow, & Alternate Access Methods
On Thu, 23 Feb 2006, Tim Daneliuk wrote:
> Igor Peshansky wrote:
>
> > On Thu, 23 Feb 2006, Tim Daneliuk wrote:
> >
> <SNIP>
>
> > Same reason -- Cygwin isn't really ACL-aware. You can also restore
> > the original ACLs by running something like "getfacl hosts.allow |
> > setfacl -f - hosts.allow.orig" (assuming the owner stays the same).
> >
> > > -rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow
> > > -rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig
> > > -rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny
> >
> > These files should really be owned by SYSTEM (or whatever user sshd
> > runs as).
>
> Ahh - that was the hint I needed. But here is something very strange:
>
> As installed, hosts.allow is owned by the installing user - in this
> case, "tundra" who is also an Administrator on the system.
As installed by what? I couldn't find anything that generates that file.
> sshd properly recognizes the rule found in this file.
That's because it simply checks that a) permissions are no more than 700,
and b) that the file is readable. Both are satisfied, even though the
owner is wrong.
> HOWEVER, if I edit the file (to change allow rules), I *have* to chown
> it to SYSTEM or ssh access outside localhost fails.
Thank your editor which makes a copy. Once you make a copy, Cygwin only
copies the POSIX permissions (which are 700), so that the file is no
longer readable by SYSTEM. You can use the "getfacl | setfacl" trick to
get the ACLs back.
> Stranger still is that once the file is owned by SYSTEM, it cannot be
> further edited because I get a "Permission Denied" on it with emacs or
> vi - strange considering that I am an Administrator on the system.
Why is this strange? Normally you are not supposed to see files that
belong to other users (and SYSTEM *is* another user). You can grab the
ownership of the file and edit it, or make it world readable/writable and
edit it. Just don't forget to change it back to the way it was, or sshd
will complain.
> P.S. Did I mention that I hate the Windows security model ;)
Most of the above is not really due to Windows -- it would happen on any
system that has ACLs.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
|,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/