From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 128469 invoked by alias); 13 Mar 2019 08:56:56 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 128457 invoked by uid 89); 13 Mar 2019 08:56:56 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-102.1 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=password, H*F:D*cygwin.com X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (217.72.192.73) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 13 Mar 2019 08:56:54 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1McY4R-1gTpvi3ElB-00cwA0 for ; Wed, 13 Mar 2019 09:56:51 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id D8661A80741; Wed, 13 Mar 2019 09:56:50 +0100 (CET) Date: Wed, 13 Mar 2019 08:56:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: sshd privsep user still required? Message-ID: <20190313085650.GS3785@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NNMNuNcS5bf7Nky/" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) X-SW-Source: 2019-03/txt/msg00341.txt.bz2 --NNMNuNcS5bf7Nky/ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1753 On Mar 12 16:21, Bill Stewart wrote: > On Thu, 17 Jan 2019 Corinna Vinschen wrote: >=20 > > > Is the sshd disabled user account still required? > > > > No, actually it isn't. These days the sshd server checks if the > > the privsep chrrot environment should be used and that the process > > is started under "root:root". This never matches under Cygwin so > > we could drop the sshd user requirement. >=20 > So I was exploring using the ChrootDirectory setting in sshd_config to > configure a user as sftp only. >=20 > The following seems to work: >=20 > 1) Run sshd service as SYSTEM >=20 > 2) Specify SYSTEM as user 0 in /etc/passwd file; e.g.: >=20 > SYSTEM:*:0:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/var/empty:/bin/false >=20 > 3) Create a local sshd user account >=20 > 4) Update sshd_config settings to use something such as: >=20 > Match User sftponly > ChrootDirectory /home/%u > ForceCommand internal-sftp >=20 > This works. >=20 > If the sshd account is missing or disabled, I can't connect using the > sftponly user, so it would seem that the sshd account really is required. >=20 > I have three questions: >=20 > a) Why is it necessary to specify SYSTEM as user number 0 in the > /etc/password file? >=20 > b) Why is the sshd account required? sshd checks for uid 0 and requires the sshd account when chroot is requested. > b) Why are /cygdrive and /dev directories visible when connecting using a > sftp client? The Cygwin chroot implementation is pure fake. It's not backed by the OS and it's failry easy to break out of the jail. As such, the chroot implementation is deprecated and only kept for backward compatibility. I suggest not to use it. It gives a wrong sense of security. Corinna --=20 Corinna Vinschen Cygwin Maintainer --NNMNuNcS5bf7Nky/ Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyIxdIACgkQ9TYGna5E T6BM0g/+NrbqWXdGnLtrDH7MZF2m8Ik163I1+4oYbY/SCviEQZddT25Yl5f8ZOGk U5l3qhJ7JZzHwvu5Hl/rugAYRXVTXpnU8+X17k51s9a/CfXkhWCkqrPEkUDo+6J8 YiPZoGsqor/3+MJy2ViiuWsJpFXHSa77HmX93JOv4uL1tzrlNdTxi6v1dqiLip47 UrJLxzx2JdzAbV5Uuf+PfUMCVAfdUonbm/KSz8UHcbAG8GYsLxMF+4EwA3mEnLnk 53qP0tXd8MAmuZ2GgWJZO0ntgUbkcLNWMFxFwU0if77nOOAKiOLAMbNZyhrCiYfh uWd15HqGMSqDUtAKBhIyTT3cG/92Qn4oqeJKKUMmo2uDsD8HDxqQ/1xPd8Km0Ibf lESX8VEGwk4qmP8JaMkISUH6j6ik37hGYxg4iSRx2IwuhDEvPS1hEnJ4Vlx0pF5p q3Vd9L18wC8wLkauF96u6KujYfF/Rs+4bO7FcoLx//JuAkiRj9wJQqwJFmuosmp8 fJH+LJjw9yDe7lpj8K3GI/SpLa1WSMmNNVBwuouCJ82hGJwYmD3FpXMM43DeEF4e e5pYdAnTFpo0g1bWLYcqLFCr5iGOLig/yrcKJ4uqCWplSUC+R2fN8IdWNuxsUVFb LB3vfEoJasqFzA2vOaDkQXO0De7aR7USLf7QRSofusAQ/CkQ1MI= =40s9 -----END PGP SIGNATURE----- --NNMNuNcS5bf7Nky/--