From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: (call-process ...) hangs in emacs
Date: Fri, 29 Aug 2014 21:43:00 -0000 [thread overview]
Message-ID: <20140829214334.GA2644@calimero.vinschen.de> (raw)
In-Reply-To: <5400D64D.1090709@cornell.edu>
[-- Attachment #1: Type: text/plain, Size: 2114 bytes --]
On Aug 29 15:36, Ken Brown wrote:
> On 8/29/2014 3:23 PM, Achim Gratz wrote:
> >Ken Brown writes:
> >>With the latest snapshot I can't start the sshd service. The
> >>Application Log just says, "`sshd' service stopped, exit
> >>status:255". The problem doesn't occur with the 2014-08-27 snapshot.
> >>I guess this has something to do with the new permissions on various
> >>files, but I'm not sure which ones.
> >
> >Off the top of my head for the standard installation:
> >
> >/etc/ssh*
> >/var/empty
> >/var/log/sshd
> >
> >When you try to debug the sshd, IIR these are the files that must be
> >chown'ed to the admin user that runs sshd from the terminal. Running in
> >debug mode (either from the terminal or via sshd_config) should produce
> >messages which file or directory sshd is choking on.
>
> I just checked /var/log/sshd.log. (I hadn't thought to do that before.)
> The last message in it is, "/var/empty must be owned by root and not group
> or world-writable." So the problem seems to be that /var/empty appears to
> sshd to be group writable under the latest snapshot. This is the "downside"
> that Corinna mentioned. What needs to be done to /var/empty to fix this?
What needs to be done is to fix the ssh-host-config script. It adds an
ACE for SYSTEM on /var/empty, /etc, and /var/log for no apparent reason.
I just sent a patch upstream which removes the code trying to generate
/etc and /var/log entirely (done by setup.exe) and which drops adding
a SYSTEM ACE to /var/empty.
A temporary workaround is either to remove the SYSTEM ACE:
$ setfacl -d g:18: /var/empty
or to change /etc/sshd_config not to use privilege separation:
UsePrivilegeSeparation no
However, this is obviously a problem for all existing installations.
OpenSSH 6.7p1 will be released pretty soon. I will add a postinstall
script which removes the SYSTEM ACE from /var/empty at installation
time.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2014-08-29 21:43 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-01 12:51 Angelo Graziosi
2014-08-01 13:17 ` Peter Hull
2014-08-01 13:32 ` Corinna Vinschen
2014-08-04 1:03 ` Ken Brown
2014-08-04 8:00 ` Corinna Vinschen
2014-08-04 13:34 ` Ken Brown
2014-08-04 13:45 ` Corinna Vinschen
2014-08-05 12:21 ` Ken Brown
2014-08-05 13:33 ` Peter Hull
2014-08-05 13:59 ` Peter Hull
2014-08-05 13:58 ` Corinna Vinschen
2014-08-05 17:55 ` Ken Brown
2014-08-05 18:40 ` Corinna Vinschen
2014-08-07 11:52 ` Ken Brown
2014-08-07 12:51 ` Corinna Vinschen
2014-08-07 18:54 ` Ken Brown
2014-08-07 15:30 ` Eric Blake
2014-08-07 18:54 ` Ken Brown
2014-08-07 21:42 ` Eric Blake
2014-08-08 13:27 ` Ken Brown
2014-08-08 15:39 ` Peter Hull
2014-08-09 1:38 ` Ken Brown
2014-08-18 12:28 ` Ken Brown
2014-08-18 14:58 ` Peter Hull
2014-08-18 15:03 ` Larry Hall (Cygwin)
2014-08-25 19:00 ` Ken Brown
2014-08-26 9:13 ` Peter Hull
2014-08-26 18:55 ` Achim Gratz
2014-08-26 22:13 ` Ken Brown
2014-08-27 8:42 ` Corinna Vinschen
2014-08-27 12:53 ` Ken Brown
2014-08-27 13:47 ` Corinna Vinschen
2014-08-27 14:40 ` Eric Blake
2014-08-27 17:15 ` Ken Brown
2014-08-27 15:15 ` Achim Gratz
2014-08-28 7:25 ` Achim Gratz
2014-08-28 9:55 ` Corinna Vinschen
2014-08-28 13:18 ` Corinna Vinschen
2014-08-28 15:04 ` Achim Gratz
2014-08-28 15:10 ` Corinna Vinschen
2014-08-28 15:27 ` Achim Gratz
2014-08-29 9:59 ` Achim Gratz
2014-08-29 11:09 ` Corinna Vinschen
2014-08-29 18:08 ` Ken Brown
2014-08-29 19:23 ` Achim Gratz
2014-08-29 19:36 ` Ken Brown
2014-08-29 20:00 ` Achim Gratz
2014-08-29 21:38 ` Ken Brown
2014-08-29 20:05 ` Andrey Repin
2014-08-29 21:43 ` Corinna Vinschen [this message]
2014-08-29 23:35 ` Andrey Repin
2014-09-01 11:47 ` Corinna Vinschen
2014-09-01 11:57 ` Corinna Vinschen
2014-09-01 17:38 ` Achim Gratz
2014-09-02 8:32 ` Corinna Vinschen
2014-09-02 17:29 ` Achim Gratz
2014-09-02 19:19 ` Corinna Vinschen
2014-09-02 19:42 ` Achim Gratz
2014-09-02 20:09 ` Corinna Vinschen
2014-09-02 20:23 ` Achim Gratz
2014-09-03 13:04 ` Corinna Vinschen
2014-09-03 17:59 ` Achim Gratz
2014-08-28 10:34 ` Eric Blake
2014-08-27 21:05 ` Andrey Repin
2014-08-28 10:01 ` Corinna Vinschen
2014-08-28 13:35 ` Andrey Repin
2014-08-28 14:10 ` Corinna Vinschen
2014-08-28 17:05 ` ACL behavior in Cygwin // " Andrey Repin
2014-08-28 18:29 ` Achim Gratz
2014-08-29 8:29 ` Corinna Vinschen
2014-08-28 18:38 ` Achim Gratz
2014-08-28 19:50 ` Andrey Repin
2014-08-06 2:30 ` Katsumi Yamaoka
2014-08-06 8:48 ` Corinna Vinschen
2014-08-06 23:41 ` Katsumi Yamaoka
2014-08-07 0:35 ` Andrey Repin
2014-08-04 8:05 ` Peter Hull
2014-08-04 13:36 ` Ken Brown
-- strict thread matches above, loose matches on Subject: below --
2014-08-06 0:15 Angelo Graziosi
2014-07-31 14:51 Peter Hull
2014-07-31 17:35 ` Ken Brown
2014-08-01 7:36 ` Peter Hull
2014-08-01 10:22 ` Katsumi Yamaoka
2014-08-01 11:33 ` Peter Hull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140829214334.GA2644@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).