This is the mail archive of the cygwin-apps mailing list for the Cygwin project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Apr 6 22:37, Achim Gratz wrote:
>
> I've got a new server for Cygwin @work and wanted to get the sshd to run
> with StrictMode on (it's been off on the old server). Long story short,
> some accounts used for administrative tasks are contrained so that I
> need to store the authorized_keys file directly on the server, so I
> added /etc/ssh/%u/authorized_keys in front of the default
> .ssh/authorized_keys. Unfortunately that only works if the same
> administrative account has been used to install Cygwin itself, lest sshd
> declares the directory /etc/ssh unsafe (or use StrictMode=no).
What exactly doesn't work? If it's the ownership of the dirs and
files, chown will do the trick, no?
> I found
> this patch that seems to address exactly the same situation:
>
> https://github.com/pierresouchay/cygwin_patches/blob/master/openssh.patch
>
> The code has since been refactored and a similar change would need to be
> applied elsewhere. Interestingly enough there is some special handling
> to _not_ check all the leading path components for the home directory
> (otherwise it wouldn't work at all). In my reading of the refactored
> code it seems that the same effect could be achieved by defining
> PLATFORM_SYS_DIR_UID appropriately (although I would prefer if that was
> configurable somewhere in a file). But it seems that for Cygwin that
> symbol doesn't get defined at all?
No, so far it's a special feature for AIX and HP/UX only. On these
platforms certain dirs and files are owned by the bin user with uid 2.
The problem on Cygwin is that we don't have a fixed uid owning the
entire system paths. It always depends on the account used to create
the system dirs, which can vary from installation to installation. What
you could do is adding a passwd entry with uid 0 for the account
installing Cygwin and make sure that the files are always owned by this
account (chown).
The only other way to fix this would be to define PLATFORM_SYS_DIR_UID
to be a function call on Cygwin, which checks the account for... what?
To be an admin account? That sounds quite relaxed, but I don't see
any other way.
Something like this in configure.ac:
AC_DEFINE([PLATFORM_SYS_DIR_UID], cygwin_valid_sys_dir_owner(), [System dirs owned by admin account])
and a bit of extra code in openbsd-compat/bsd-cygwin_util.c along the
lines of:
/* return uid if uid is a valid system dir-owning uid */
cygwin_valid_sys_dir_owner (uid_t uid)
{
struct pw = getpwuid (uid);
getgrouplist (pw->pw_name, pw->pw_gid, grplist, &ngroups);
if (544 in grplist)
return 1
return 0;
}
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
Attachment:
signature.asc
Description: PGP signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |