Wich privileges required by ssh-host-config running user?
Chris Taylor
chris@equate.dyndns.org
Wed Jan 18 15:36:00 GMT 2006
Manel Rodero wrote:
>>Because your are bound by the laws of ntfs access control
>>entrys. Having rights to write to a file doesn't mean you are
>>allowed to change its owner. You need permissions to change
>>the directory the files are in.
>>And getting this right is easier in windows than in cygwin.
>>Use cacls to look at etc and the files.
>>
>>
>
>
> Yes, I've look into /etc and /etc/ssh* files. /etc directory is created by
> the setup process. The ssh* files are created by the ssh-host-config script.
>
> I know that the problem is with ACLs in the NTFS files but I would like to
> know why this problem only occurs in these servers (casually all of them are
> in a windows domain). Does the process of joining a domain change something
> in the local Administration account?
You want to try with the domain administrator account, not the local
administrator.
If you're logging on as administrator, and log on to is set to the
domain, then you are already doing so and something most unusual is
occuring - suggestive of an admin removing administrator access to the
root filesystem, or to certain parts of it.
>
> In a working server:
>
> C:\cygwin\etc>cacls .
> C:\cygwin\etc Everyone:(OI)(CI)F
>
> ---> the script have changed the ACL to SYSTEM !!!
>
> C:\cygwin\etc>cacls ssh_config
> C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:)
> STANDARD_RIGHTS_ALL
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> SYNCHRONIZE
> STANDARD_RIGHTS_REQUIRED
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_GENERIC_EXECUTE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_EXECUTE
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> SERVEROK\None:R
> Everyone:R
>
> In the problematic servers (the ACLs are the default ones because the
> ssh-host-config script can't change them):
>
> C:\cygwin\etc>cacls .
> C:\cygwin\etc Everyone:(OI)(CI)F
>
> ---> The Default ACLs of the files created by ssh-host-config (Administrator
> doesn't have full control over the files; but Administrator is the owner of
> the files)
>
> C:\cygwin\etc>cacls sshd_config
> C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:)
> STANDARD_RIGHTS_ALL
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> SYNCHRONIZE
> STANDARD_RIGHTS_REQUI
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> SERVERWRONG\None:(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_READ_DATA
> FILE_READ_EA
> FILE_READ_ATTRIBUTES
>
> Everyone:(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_READ_DATA
> FILE_READ_EA
> FILE_READ_ATTRIBUTES
>
> So, which RIGHTS need the Administrator account to be able to change the
> owner of a file?
>
> Thank you.
>
--
Spinning complacently in the darkness, covered and blinded by a blanket
of little lives, false security has lulled the madness of this world
into a slumber. Wake up! An eye is upon you, staring straight down and
keenly through, seeing all that you are and everything that you will
never be. Yes, an eye is upon you, an eye ready to blink. So face
forward, with arms wide open and mind reeling. Your future has
arrived... Are you ready to go?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list