Re: sshd default user PATH

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 2338 bytes --]

On Aug 14 09:56, Achim Gratz wrote:
> I'm trying to figure out how sshd comes up with the PATH for the initial
> environment.  Currently I get the Windows sytem PATH (converted to POSIX)
> and then /bin appended.  This is no good, at least /bin should be at the
> beginning of that PATH.

On other systems sshd sets $PATH to "/usr/bin:/bin:/usr/sbin:/sbin", but
on Cygwin it doesn't change $PATH and just takes what it got from
cygrunsrv so as not to break the search path for DLLs not in the system
directories.

So this is kind of a cygrunsrv problem.  It simply appends /bin to
$PATH, rather than prepending it.

> I've not been able to change this system-wide so far.  Apparently sshd has
> been built on a machine where /etc/default/login wasn't present, at least it
> doesn't appear to try to read that file (or any other system file) for
> setting up the initial environment.

Right, /etc/default/login and, fwiw, any method to change $PATH from the
default path is disabled on Cygwin deliberately for the reason outlined
above.

> The /etc/sshrc is run if I create it,
> but you can't set any environment variables from within it.  I don't want to
> enable user environments.
> 
> I think it would be nice if there was a system file that could set the
> initial environment for sshd, maybe setting external_path_file to
> /etc/ssh_environment fits in better with the default Cygwin /etc layout, though.

It's not that simple.  It requires a code change in sshd.  However,
maybe the rigorous handling is not required anymore these days.

Anyway, even if I re-enable /etc/default/login and the standard PATH
handling in sshd, there's no way to set an arbitrary environment.  For
security reasons, sshd is very selective in the environment variables it
sets up.  From /etc/default/login, it takes *only* PATH and UMASK,
for instance.  Everything else should be set in the shell profiles.

So, here's what I'll do:

- Change cygrunsrv to prepend /bin to $PATH rather then appending it.

- Drop the Cygwin specific ignorance of /etc/default/login from the
  source code and build a new OpenSSH package.

Does that sound ok?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]