From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: TEST RELEASE: Cygwin 1.7.34-002
Date: Mon, 15 Dec 2014 11:35:00 -0000 [thread overview]
Message-ID: <20141215113542.GE11307@calimero.vinschen.de> (raw)
In-Reply-To: <548AFD43.1040306@cornell.edu>
[-- Attachment #1: Type: text/plain, Size: 3297 bytes --]
On Dec 12 09:35, Ken Brown wrote:
> On 12/12/2014 8:49 AM, Michael DePaulo wrote:
> >On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen
> ><corinna-cygwin@cygwin.com> wrote:
> >>I finally released another TEST version of the next upcoming Cygwin
> >>release. The version number is 1.7.34-002.
> >
> >I *think* I am experiencing a very bad regression.
> >
> >These are the Windows permissions on my ~/.ssh/id_rsa file:
> >C:\cygwin\home\mike\.ssh>icacls id_rsa
> >id_rsa NT AUTHORITY\SYSTEM:(F)
> > DEPAULO\mike:(R,W,D,WDAC,WO)
> >[...]
> >$ uname -a
> >CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cygwin
> >
> >mike@executor ~
> >$ ssh galactica
> >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
> >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open.
> >It is recommended that your private key files are NOT accessible by others.
> >This private key will be ignored.
> >key_load_private_type: bad permissions
> >[...]
> >mike@executor ~/.ssh
> >$ ls -latr id_rsa
> >-rw-rwx---+ 1 mike Domain Users 1743 Dec 7 2013 id_rsa
>
> This isn't a regression. It's a deliberate change, so that Cygwin now takes
> ACLs into account when calculating permissions. The simplest fix is to use
> the new feature of setfacl to remove the unwanted permissions. From the
> release announcement:
>
> >- Add -b/--remove-all option to setfacl to reduce the ACL to only the
> > entries representing POSIX permission bits.
>
> Ken
What he says. Here are the important snippets from the POSIX ACL Linux
man page (for instance http://linux.die.net/man/5/acl), which was never
before implemented in Cygwin, but which is with the test release (and
thus the upcoming release):
An ACL that contains entries of ACL_USER or ACL_GROUP tag types must
contain exactly one entry of the ACL_MASK tag type.
Windows doesn't support MASK entries. But POSIX requires a MASK entry
if a supplementary user or group has an ACL entry, thus Cygwin emulates
the entry.
The ACL_MASK entry denotes the maximum access rights that can be
granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.
So the emulated MASK entry is the or'ed mask of all permissions granted
to the primary group and all supplementary users and groups.
There is a correspondence between the file owner, group, and other
permissions and specific ACL entries:
[...]
If the ACL has an ACL_MASK entry, the group permissions correspond to
the permissions of the ACL_MASK entry.
So, the group permissions don't simply reflect the permissions of the
primary group, but the sum of permissions of the primary group and all
supplementary users and groups in the ACL.
It's unfortunate that this may break more installations, but it's also a
security improvment. The group permissions reflect the fact that the
permissions granted to your ssh key are too open. Fortunately the new
-b option to setfacl allows a quick fix.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2014-12-15 11:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141206194943.GD3810@calimero.vinschen.de>
2014-12-09 22:18 ` Michael DePaulo
2014-12-10 12:35 ` Corinna Vinschen
2014-12-12 13:49 ` Michael DePaulo
2014-12-12 14:35 ` Ken Brown
2014-12-15 11:35 ` Corinna Vinschen [this message]
2014-12-15 17:15 ` Achim Gratz
2014-12-15 17:59 ` Corinna Vinschen
2014-12-15 20:39 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141215113542.GE11307@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).