sshd default user PATH

sshd default user PATH

[Achim Gratz]

I'm trying to figure out how sshd comes up with the PATH for the initial
environment.  Currently I get the Windows sytem PATH (converted to POSIX)
and then /bin appended.  This is no good, at least /bin should be at the
beginning of that PATH.

I've not been able to change this system-wide so far.  Apparently sshd has
been built on a machine where /etc/default/login wasn't present, at least it
doesn't appear to try to read that file (or any other system file) for
setting up the initial environment.  The /etc/sshrc is run if I create it,
but you can't set any environment variables from within it.  I don't want to
enable user environments.

I think it would be nice if there was a system file that could set the
initial environment for sshd, maybe setting external_path_file to
/etc/ssh_environment fits in better with the default Cygwin /etc layout, though.

Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd default user PATH

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2338 bytes --]

On Aug 14 09:56, Achim Gratz wrote:
> I'm trying to figure out how sshd comes up with the PATH for the initial
> environment.  Currently I get the Windows sytem PATH (converted to POSIX)
> and then /bin appended.  This is no good, at least /bin should be at the
> beginning of that PATH.

On other systems sshd sets $PATH to "/usr/bin:/bin:/usr/sbin:/sbin", but
on Cygwin it doesn't change $PATH and just takes what it got from
cygrunsrv so as not to break the search path for DLLs not in the system
directories.

So this is kind of a cygrunsrv problem.  It simply appends /bin to
$PATH, rather than prepending it.

> I've not been able to change this system-wide so far.  Apparently sshd has
> been built on a machine where /etc/default/login wasn't present, at least it
> doesn't appear to try to read that file (or any other system file) for
> setting up the initial environment.

Right, /etc/default/login and, fwiw, any method to change $PATH from the
default path is disabled on Cygwin deliberately for the reason outlined
above.

> The /etc/sshrc is run if I create it,
> but you can't set any environment variables from within it.  I don't want to
> enable user environments.
> 
> I think it would be nice if there was a system file that could set the
> initial environment for sshd, maybe setting external_path_file to
> /etc/ssh_environment fits in better with the default Cygwin /etc layout, though.

It's not that simple.  It requires a code change in sshd.  However,
maybe the rigorous handling is not required anymore these days.

Anyway, even if I re-enable /etc/default/login and the standard PATH
handling in sshd, there's no way to set an arbitrary environment.  For
security reasons, sshd is very selective in the environment variables it
sets up.  From /etc/default/login, it takes *only* PATH and UMASK,
for instance.  Everything else should be set in the shell profiles.

So, here's what I'll do:

- Change cygrunsrv to prepend /bin to $PATH rather then appending it.

- Drop the Cygwin specific ignorance of /etc/default/login from the
  source code and build a new OpenSSH package.

Does that sound ok?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: sshd default user PATH

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2824 bytes --]

On Aug 14 13:20, Corinna Vinschen wrote:
> On Aug 14 09:56, Achim Gratz wrote:
> > I'm trying to figure out how sshd comes up with the PATH for the initial
> > environment.  Currently I get the Windows sytem PATH (converted to POSIX)
> > and then /bin appended.  This is no good, at least /bin should be at the
> > beginning of that PATH.
> 
> On other systems sshd sets $PATH to "/usr/bin:/bin:/usr/sbin:/sbin", but
> on Cygwin it doesn't change $PATH and just takes what it got from
> cygrunsrv so as not to break the search path for DLLs not in the system
> directories.
> 
> So this is kind of a cygrunsrv problem.  It simply appends /bin to
> $PATH, rather than prepending it.
> 
> > I've not been able to change this system-wide so far.  Apparently sshd has
> > been built on a machine where /etc/default/login wasn't present, at least it
> > doesn't appear to try to read that file (or any other system file) for
> > setting up the initial environment.
> 
> Right, /etc/default/login and, fwiw, any method to change $PATH from the
> default path is disabled on Cygwin deliberately for the reason outlined
> above.
> 
> > The /etc/sshrc is run if I create it,
> > but you can't set any environment variables from within it.  I don't want to
> > enable user environments.
> > 
> > I think it would be nice if there was a system file that could set the
> > initial environment for sshd, maybe setting external_path_file to
> > /etc/ssh_environment fits in better with the default Cygwin /etc layout, though.
> 
> It's not that simple.  It requires a code change in sshd.  However,
> maybe the rigorous handling is not required anymore these days.
> 
> Anyway, even if I re-enable /etc/default/login and the standard PATH
> handling in sshd, there's no way to set an arbitrary environment.  For
> security reasons, sshd is very selective in the environment variables it
> sets up.  From /etc/default/login, it takes *only* PATH and UMASK,
> for instance.  Everything else should be set in the shell profiles.
> 
> So, here's what I'll do:
> 
> - Change cygrunsrv to prepend /bin to $PATH rather then appending it.
> 
> - Drop the Cygwin specific ignorance of /etc/default/login from the
>   source code and build a new OpenSSH package.
> 
> Does that sound ok?

There's a problem.  On Cygwin it's not /etc/default, but /etc/defaults.
Note the trailing "s".

OpenSSH only provides support for /etc/default/login with no way to
influence the name or path.  This would require a patch to openssh just
for the sake of Cygwin.  I asked upstream, but I don't expect that this
will be changed any time soon.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: sshd default user PATH

[Achim Gratz]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> On other systems sshd sets $PATH to "/usr/bin:/bin:/usr/sbin:/sbin", but
> on Cygwin it doesn't change $PATH and just takes what it got from
> cygrunsrv so as not to break the search path for DLLs not in the system
> directories.

I'm running Cygwin since years with all traces of the Windows path
deliberately deleted and never hit any problem.  That would be different if
I tried to mix windows applications in, but I prefer to have wrapper scripts
for those anyway.

> So this is kind of a cygrunsrv problem.  It simply appends /bin to
> $PATH, rather than prepending it.

Ah, I was wondering where that comes from since nothing in sshd does it.  So
sshd just takes over the environment as set up by cygrunsrv?  Then it might
be a lot easier to just tell cygrunsrv what to put into PATH.

> Right, /etc/default/login and, fwiw, any method to change $PATH from the
> default path is disabled on Cygwin deliberately for the reason outlined
> above.

Thanks for confirming, after staring at the configure output for a while
I've finally found that #ifdef in the source...

> It's not that simple.  It requires a code change in sshd.  However,
> maybe the rigorous handling is not required anymore these days.

May not be necessary anyway.
 
> Anyway, even if I re-enable /etc/default/login and the standard PATH
> handling in sshd, there's no way to set an arbitrary environment.  For
> security reasons, sshd is very selective in the environment variables it
> sets up.  From /etc/default/login, it takes *only* PATH and UMASK,
> for instance.  Everything else should be set in the shell profiles.

I really only need PATH at the moment.  If I bounce commands directly onto
the server without going through a login shell nothing really works as
expected at the moment since Cygwin is last in path.  I don't want to add
Cygwin to the Windows path for other reasons and I really don't have control
what else gets added there and in which order.

> So, here's what I'll do:
> 
> - Change cygrunsrv to prepend /bin to $PATH rather then appending it.

I would appreciate if it could (optionally) look in some configuration file
(/etc/environment ?) and use PATH as defined there and store the path as set
up in Windows in ORIGINAL_PATH (like done in /etc/profile, where this is
conditional on CYGWIN_NOWINPATH being present).

> - Drop the Cygwin specific ignorance of /etc/default/login from the
>   source code and build a new OpenSSH package.
> 
> Does that sound ok?

Very much.  If the environment can be controlled via cygrunsrv, then the
changes to sshd might not be necessary.  I've just tried using "-e
PATH=/bin" in the sshd service startup, but PATH still seems to be
hardcopied from Windows (the setting is ignored if the environment variable
already exists?).


Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd default user PATH

[Andrey Repin]

Greetings, Corinna Vinschen!

> There's a problem.  On Cygwin it's not /etc/default, but /etc/defaults.
> Note the trailing "s".

You're confusing /etc/default/ (a directory with default initial values for
runtime/startup configurations of [mainly] daemons), which could and SHOULD be
changed to suit system needs and Cygwin's /etc/defaults with pristine copy of
installation environment, which not supposed to be touched by anything, but
installation scripts.

> OpenSSH only provides support for /etc/default/login with no way to
> influence the name or path.  This would require a patch to openssh just
> for the sake of Cygwin.  I asked upstream, but I don't expect that this
> will be changed any time soon.

I don't expect it to be changed at all, since there's nothing needs to be
changed.
These two directories serve completely different purposes.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 14.08.2014, <16:32>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd default user PATH

[Achim Gratz]

Achim Gratz <Stromeko <at> NexGo.DE> writes:
> I've just tried using "-e PATH=/bin" in the sshd service startup, but
> PATH still seems to be hardcopied from Windows

I did this wrong.  I had to re-install the service, not just adding a
startup parameter.  With "-e "PATH=/usr/bin" the resulting initial PATH from
an ssh login is "PATH=/usr/bin:/bin".  So I can use that as a workaround and
we can spend some more time to think about whether that behaviour from
cygrunsrv or sshd needs further adjustment or if just the install helper
script should ask for these things.

Thanks for getting me on the right track.

Regards,
Achim.




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd default user PATH

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1136 bytes --]

On Aug 14 13:01, Achim Gratz wrote:
> Achim Gratz <Stromeko <at> NexGo.DE> writes:
> > I've just tried using "-e PATH=/bin" in the sshd service startup, but
> > PATH still seems to be hardcopied from Windows
> 
> I did this wrong.  I had to re-install the service, not just adding a
> startup parameter.  With "-e "PATH=/usr/bin" the resulting initial PATH from
> an ssh login is "PATH=/usr/bin:/bin".  So I can use that as a workaround and
> we can spend some more time to think about whether that behaviour from
> cygrunsrv or sshd needs further adjustment or if just the install helper
> script should ask for these things.
> 
> Thanks for getting me on the right track.

That means the patch to sshd isn't that important.  Nevertheless, I
just released cygrunsrv-1.60-1, which prepends /bin to $PATH.

Funny enough, the README file claimed that /bin gets prepended to $PATH
since the early days.  Just the actual code didn't follow suit :-P


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: sshd default user PATH

[Achim Gratz]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> That means the patch to sshd isn't that important.  Nevertheless, I
> just released cygrunsrv-1.60-1, which prepends /bin to $PATH.
> 
> Funny enough, the README file claimed that /bin gets prepended to $PATH
> since the early days.  Just the actual code didn't follow suit :-P

The help output from the command still talks about adding it to PATH, so
that may actually have been intentional: prepending /bin might mess up
things if someone actually wants to get something in front.  All things
considered, I suggest that cygrunsrv doesn't fiddle with the PATH if an
explicit PATH environment has been given on the command line, but prepends
it to the PATH if it gets inherited from Windows.


Regards,
Achim.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd default user PATH

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 963 bytes --]

On Aug 19 09:08, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > That means the patch to sshd isn't that important.  Nevertheless, I
> > just released cygrunsrv-1.60-1, which prepends /bin to $PATH.
> > 
> > Funny enough, the README file claimed that /bin gets prepended to $PATH
> > since the early days.  Just the actual code didn't follow suit :-P
> 
> The help output from the command still talks about adding it to PATH, so
> that may actually have been intentional: prepending /bin might mess up
> things if someone actually wants to get something in front.  All things
> considered, I suggest that cygrunsrv doesn't fiddle with the PATH if an
> explicit PATH environment has been given on the command line, ...

Sounds like a good idea to me.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: sshd default user PATH

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

On Aug 19 12:58, Corinna Vinschen wrote:
> On Aug 19 09:08, Achim Gratz wrote:
> > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > > That means the patch to sshd isn't that important.  Nevertheless, I
> > > just released cygrunsrv-1.60-1, which prepends /bin to $PATH.
> > > 
> > > Funny enough, the README file claimed that /bin gets prepended to $PATH
> > > since the early days.  Just the actual code didn't follow suit :-P
> > 
> > The help output from the command still talks about adding it to PATH, so
> > that may actually have been intentional: prepending /bin might mess up
> > things if someone actually wants to get something in front.  All things
> > considered, I suggest that cygrunsrv doesn't fiddle with the PATH if an
> > explicit PATH environment has been given on the command line, ...
> 
> Sounds like a good idea to me.

Or, for backward compatibility reasons, better append /bin if PATH is
given explicitely via -e.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]