* Re: TEST RELEASE: Cygwin 1.7.34-002 [not found] <20141206194943.GD3810@calimero.vinschen.de> @ 2014-12-09 22:18 ` Michael DePaulo 2014-12-10 12:35 ` Corinna Vinschen 2014-12-12 13:49 ` Michael DePaulo 1 sibling, 1 reply; 8+ messages in thread From: Michael DePaulo @ 2014-12-09 22:18 UTC (permalink / raw) To: The Cygwin Mailing List On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > For your convenience I wrote new documentation. Since this is a TEST > prerelease, the new documentation is not part of the official docs yet. > Rather have a look at > > https://cygwin.com/preliminary-ntsec.html > > If you read it (which I seriously hope for) and it's all just > incomprehensible gobbledygook to you, please say so on the mailing list Might I suggest a clarification for the section "Samba account mapping"? Remember that there are multiple components to Samba nowadays, such as the AD DC and the NT4-style DC. But this part of the documentation concerns itself with only the Samba file server, smbd. At the beginning of it, change: A fully set up Samba with domain integration is running winbindd to map Window SIDs to artificially created UNIX uids and gids, and this mapping is transparent within the domain, so Cygwin doesn't have to do anything special. to something like: A fully set up Samba file server with domain integration is running winbindd to map Window SIDs to artificially created UNIX uids and gids, and this mapping is transparent within the domain, so Cygwin doesn't have to do anything special to access Samba shares. -Mike -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-09 22:18 ` TEST RELEASE: Cygwin 1.7.34-002 Michael DePaulo @ 2014-12-10 12:35 ` Corinna Vinschen 0 siblings, 0 replies; 8+ messages in thread From: Corinna Vinschen @ 2014-12-10 12:35 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1556 bytes --] On Dec 9 17:18, Michael DePaulo wrote: > On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > For your convenience I wrote new documentation. Since this is a TEST > > prerelease, the new documentation is not part of the official docs yet. > > Rather have a look at > > > > https://cygwin.com/preliminary-ntsec.html > > > > If you read it (which I seriously hope for) and it's all just > > incomprehensible gobbledygook to you, please say so on the mailing list > > Might I suggest a clarification for the section "Samba account mapping"? > > Remember that there are multiple components to Samba nowadays, such as > the AD DC and the NT4-style DC. But this part of the documentation > concerns itself with only the Samba file server, smbd. > > At the beginning of it, change: > A fully set up Samba with domain integration is running winbindd to > map Window SIDs to artificially created UNIX uids and gids, and this > mapping is transparent within the domain, so Cygwin doesn't have to do > anything special. > > to something like: > A fully set up Samba file server with domain integration is running > winbindd to map Window SIDs to artificially created UNIX uids and > gids, and this mapping is transparent within the domain, so Cygwin > doesn't have to do anything special to access Samba shares. Done. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 [not found] <20141206194943.GD3810@calimero.vinschen.de> 2014-12-09 22:18 ` TEST RELEASE: Cygwin 1.7.34-002 Michael DePaulo @ 2014-12-12 13:49 ` Michael DePaulo 2014-12-12 14:35 ` Ken Brown 1 sibling, 1 reply; 8+ messages in thread From: Michael DePaulo @ 2014-12-12 13:49 UTC (permalink / raw) To: The Cygwin Mailing List On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > I finally released another TEST version of the next upcoming Cygwin > release. The version number is 1.7.34-002. I *think* I am experiencing a very bad regression. These are the Windows permissions on my ~/.ssh/id_rsa file: C:\cygwin\home\mike\.ssh>icacls id_rsa id_rsa NT AUTHORITY\SYSTEM:(F) DEPAULO\mike:(R,W,D,WDAC,WO) Under cygwin 1.7.33-2, I am able to use the file fine: mike@executor ~ $ uname -a CYGWIN_NT-6.3-WOW64 executor 1.7.33-2(0.280/5/3) 2014-11-13 15:45 i686 Cygwin mike@executor ~ $ ssh galactica Enter passphrase for key '/home/mike/.ssh/id_rsa': Last login: Fri Dec 12 08:36:39 2014 from executor.depaulo.org mike@galactica:~ :) [1] $ exit logout Connection to galactica closed. mike@executor ~ $ cd .ssh mike@executor ~/.ssh $ ls -latr id_rsa -rw------- 1 mike mkpasswd 1743 Dec 7 2013 id_rsa But under 1.7.34-002, I get a permissions error: mike@executor ~ $ uname -a CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cygwin mike@executor ~ $ ssh galactica @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. key_load_private_type: bad permissions mike@galactica's password: mike@executor ~ $ cd .ssh mike@executor ~/.ssh $ ls -latr id_rsa -rw-rwx---+ 1 mike Domain Users 1743 Dec 7 2013 id_rsa -Mike -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-12 13:49 ` Michael DePaulo @ 2014-12-12 14:35 ` Ken Brown 2014-12-15 11:35 ` Corinna Vinschen 0 siblings, 1 reply; 8+ messages in thread From: Ken Brown @ 2014-12-12 14:35 UTC (permalink / raw) To: cygwin On 12/12/2014 8:49 AM, Michael DePaulo wrote: > On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: >> I finally released another TEST version of the next upcoming Cygwin >> release. The version number is 1.7.34-002. > > I *think* I am experiencing a very bad regression. > > These are the Windows permissions on my ~/.ssh/id_rsa file: > C:\cygwin\home\mike\.ssh>icacls id_rsa > id_rsa NT AUTHORITY\SYSTEM:(F) > DEPAULO\mike:(R,W,D,WDAC,WO) > > Under cygwin 1.7.33-2, I am able to use the file fine: > > mike@executor ~ > $ uname -a > CYGWIN_NT-6.3-WOW64 executor 1.7.33-2(0.280/5/3) 2014-11-13 15:45 i686 Cygwin > > mike@executor ~ > $ ssh galactica > Enter passphrase for key '/home/mike/.ssh/id_rsa': > Last login: Fri Dec 12 08:36:39 2014 from executor.depaulo.org > mike@galactica:~ :) [1] $ exit > logout > Connection to galactica closed. > > mike@executor ~ > $ cd .ssh > > mike@executor ~/.ssh > $ ls -latr id_rsa > -rw------- 1 mike mkpasswd 1743 Dec 7 2013 id_rsa > > > But under 1.7.34-002, I get a permissions error: > > mike@executor ~ > $ uname -a > CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cygwin > > mike@executor ~ > $ ssh galactica > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open. > It is recommended that your private key files are NOT accessible by others. > This private key will be ignored. > key_load_private_type: bad permissions > mike@galactica's password: > > > mike@executor ~ > $ cd .ssh > > mike@executor ~/.ssh > $ ls -latr id_rsa > -rw-rwx---+ 1 mike Domain Users 1743 Dec 7 2013 id_rsa This isn't a regression. It's a deliberate change, so that Cygwin now takes ACLs into account when calculating permissions. The simplest fix is to use the new feature of setfacl to remove the unwanted permissions. From the release announcement: > - Add -b/--remove-all option to setfacl to reduce the ACL to only the > entries representing POSIX permission bits. Ken -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-12 14:35 ` Ken Brown @ 2014-12-15 11:35 ` Corinna Vinschen 2014-12-15 17:15 ` Achim Gratz 0 siblings, 1 reply; 8+ messages in thread From: Corinna Vinschen @ 2014-12-15 11:35 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 3297 bytes --] On Dec 12 09:35, Ken Brown wrote: > On 12/12/2014 8:49 AM, Michael DePaulo wrote: > >On Sat, Dec 6, 2014 at 2:49 PM, Corinna Vinschen > ><corinna-cygwin@cygwin.com> wrote: > >>I finally released another TEST version of the next upcoming Cygwin > >>release. The version number is 1.7.34-002. > > > >I *think* I am experiencing a very bad regression. > > > >These are the Windows permissions on my ~/.ssh/id_rsa file: > >C:\cygwin\home\mike\.ssh>icacls id_rsa > >id_rsa NT AUTHORITY\SYSTEM:(F) > > DEPAULO\mike:(R,W,D,WDAC,WO) > >[...] > >$ uname -a > >CYGWIN_NT-6.3-WOW64 executor 1.7.34(0.282/5/3) 2014-12-06 18:03 i686 Cygwin > > > >mike@executor ~ > >$ ssh galactica > >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > >@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > >Permissions 0670 for '/home/mike/.ssh/id_rsa' are too open. > >It is recommended that your private key files are NOT accessible by others. > >This private key will be ignored. > >key_load_private_type: bad permissions > >[...] > >mike@executor ~/.ssh > >$ ls -latr id_rsa > >-rw-rwx---+ 1 mike Domain Users 1743 Dec 7 2013 id_rsa > > This isn't a regression. It's a deliberate change, so that Cygwin now takes > ACLs into account when calculating permissions. The simplest fix is to use > the new feature of setfacl to remove the unwanted permissions. From the > release announcement: > > >- Add -b/--remove-all option to setfacl to reduce the ACL to only the > > entries representing POSIX permission bits. > > Ken What he says. Here are the important snippets from the POSIX ACL Linux man page (for instance http://linux.die.net/man/5/acl), which was never before implemented in Cygwin, but which is with the test release (and thus the upcoming release): An ACL that contains entries of ACL_USER or ACL_GROUP tag types must contain exactly one entry of the ACL_MASK tag type. Windows doesn't support MASK entries. But POSIX requires a MASK entry if a supplementary user or group has an ACL entry, thus Cygwin emulates the entry. The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. So the emulated MASK entry is the or'ed mask of all permissions granted to the primary group and all supplementary users and groups. There is a correspondence between the file owner, group, and other permissions and specific ACL entries: [...] If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. So, the group permissions don't simply reflect the permissions of the primary group, but the sum of permissions of the primary group and all supplementary users and groups in the ACL. It's unfortunate that this may break more installations, but it's also a security improvment. The group permissions reflect the fact that the permissions granted to your ssh key are too open. Fortunately the new -b option to setfacl allows a quick fix. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-15 11:35 ` Corinna Vinschen @ 2014-12-15 17:15 ` Achim Gratz 2014-12-15 17:59 ` Corinna Vinschen 0 siblings, 1 reply; 8+ messages in thread From: Achim Gratz @ 2014-12-15 17:15 UTC (permalink / raw) To: cygwin Corinna Vinschen writes: > It's unfortunate that this may break more installations, but it's also a > security improvment. The group permissions reflect the fact that the > permissions granted to your ssh key are too open. Fortunately the new > -b option to setfacl allows a quick fix. Speaking of setfacl, would it be possible to also implement the -k / --remove-default option? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-15 17:15 ` Achim Gratz @ 2014-12-15 17:59 ` Corinna Vinschen 2014-12-15 20:39 ` Corinna Vinschen 0 siblings, 1 reply; 8+ messages in thread From: Corinna Vinschen @ 2014-12-15 17:59 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 656 bytes --] On Dec 15 18:15, Achim Gratz wrote: > Corinna Vinschen writes: > > It's unfortunate that this may break more installations, but it's also a > > security improvment. The group permissions reflect the fact that the > > permissions granted to your ssh key are too open. Fortunately the new > > -b option to setfacl allows a quick fix. > > Speaking of setfacl, would it be possible to also implement the -k / > --remove-default option? Hmm, should be possible with a minor tweak... Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: TEST RELEASE: Cygwin 1.7.34-002 2014-12-15 17:59 ` Corinna Vinschen @ 2014-12-15 20:39 ` Corinna Vinschen 0 siblings, 0 replies; 8+ messages in thread From: Corinna Vinschen @ 2014-12-15 20:39 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 770 bytes --] On Dec 15 18:59, Corinna Vinschen wrote: > On Dec 15 18:15, Achim Gratz wrote: > > Corinna Vinschen writes: > > > It's unfortunate that this may break more installations, but it's also a > > > security improvment. The group permissions reflect the fact that the > > > permissions granted to your ssh key are too open. Fortunately the new > > > -b option to setfacl allows a quick fix. > > > > Speaking of setfacl, would it be possible to also implement the -k / > > --remove-default option? > > Hmm, should be possible with a minor tweak... You got it: https://cygwin.com/snapshots/ Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-12-15 20:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20141206194943.GD3810@calimero.vinschen.de>
2014-12-09 22:18 ` TEST RELEASE: Cygwin 1.7.34-002 Michael DePaulo
2014-12-10 12:35 ` Corinna Vinschen
2014-12-12 13:49 ` Michael DePaulo
2014-12-12 14:35 ` Ken Brown
2014-12-15 11:35 ` Corinna Vinschen
2014-12-15 17:15 ` Achim Gratz
2014-12-15 17:59 ` Corinna Vinschen
2014-12-15 20:39 ` Corinna Vinschen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).