This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: File Permissions - Yet Another Question / Clarification
- From: Bryan Berns <bryan dot berns at gmail dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 2 Apr 2015 22:56:23 -0400
- Subject: Re: File Permissions - Yet Another Question / Clarification
- Authentication-results: sourceware.org; auth=none
- References: <CADi7v6K6Xbz3JYB-=JC23YMCEHzhmV3sSOAtcE73ydTecbcR-Q at mail dot gmail dot com> <152755247 dot 20150401232333 at yandex dot ru> <CADi7v6L0LyBSMRHWpWkcRPv-9=mZQLMTOPcyLO_k8kujV=ypTQ at mail dot gmail dot com> <402200952 dot 20150402043205 at yandex dot ru> <CADi7v6+T7Wg=JncC2K-SWANkG6xKL+Z0Y+4azRLs1S8s-YXwdw at mail dot gmail dot com> <1876247786 dot 20150402183153 at yandex dot ru> <CADi7v6+xL4GPSCkQixXgyDBM2N7RNJmNLRgqyQrmVQqeJRERbQ at mail dot gmail dot com> <87twwyxtin dot fsf at Rainer dot invalid> <CADi7v6+te0gAh-knHwRnBz_O6i8FJAFc_AJ5=hfutW6u7y4wJg at mail dot gmail dot com>
Replying to myself on this topic in case anyone else is interested.
> 2) how can I get SSH to believe the two "admin" groups on my
> files are acceptable. I'm not optimistic I'm going to get SSH to
> change it's behavior so I may need to recompile it to avoid the
> check.... which is obviously not desirable from a maintainability
> standpoint.
The applicable check at work here is check_ntsec() and the several
lines after within authfile.c in the openssh package. I confirmed
there is no elegant way to avoid or externally augment these checks as
it's currently programmed without patching and recompiling (or using
something like Microsoft Detours to fake out the external call to
pathconf() which is called by check_ntsec() -- very ugly).
I completely agree with the general guidance that these are important
checks as it prevents the user from accidentally exposing their
private keys. In our environment, the check is returning a false
positive given our home directory permissions are tightly controlled
(immutable by end users, in fact) and some cross-domain administrative
groups are used to delegate control of the directories to certain
authorized personnel. Eliminating these groups from the DACL and
granting these personnel Backup/Restore rights on the entire filer
(hundreds of terabytes) is not a secure solution for us. I'm guessing
others in a large corporate environment may find themselves in a
similar scenario.
I was able to modify the check to work for our scenario and recompile.
Obviously this isn't the ideal solution, but it looks like it's our
only path forward.
I still have to figure out why file ownership isn't recorded properly
--- if I figure that out, I'll let everyone know as well.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple