From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 119828 invoked by alias); 4 Nov 2017 13:31:31 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 119820 invoked by uid 89); 4 Nov 2017 13:31:31 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,FREEMAIL_REPLYTO,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy=openssh, re-ran, github, ls X-HELO: mail-pg0-f52.google.com Received: from mail-pg0-f52.google.com (HELO mail-pg0-f52.google.com) (74.125.83.52) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 04 Nov 2017 13:31:29 +0000 Received: by mail-pg0-f52.google.com with SMTP id a192so4738291pge.9 for ; Sat, 04 Nov 2017 06:31:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:reply-to:references:to:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=c7hGddv8uv6puvUiq1iBmxmPOzsvICdGNhe8aFdYqv0=; b=aT6zzGLodLk8/IoICqkKvPdLEm5alLjGH0Ql+uCO1GST7lHPRUfPo+hxTEjI7tSLTv jH1xfaZfdl3b77Gwte1xDLBe3+H7n7bG/md88zr/dwj2h1FE6qSvZXSU2WQdIbHOtVCo DHGGY3ib6kUbnOyucdlV9PUCL7P9boyKjw6e/JKGjQ7IYemJR0ysBRMiINvC1Ydv2BEl 3LJQi13msKMkdMmd1lhiC4yXLoserZFzbOEN7zwCpbQcgG5+IV7IWFXuOkpAy3Q065P4 nWR8gxk+bm+bYAYf8A8HIQZHYgpgC6WSIR+Boz4Gzoa4jXm0MsrLCAL7n2YYuTXkgFIy P0rA== X-Gm-Message-State: AMCzsaXCY+deV5iq4m+PHgHU7vzaxlAsoe5UUlA+6/8jYgtIBzn8AhfM Hn1iJ1GG66rWUB77J9N88NogXaFm X-Google-Smtp-Source: ABhQp+R09lzpTgZlm0AUn/7erYAssn/0XjmU9H3qDrxrJeZ/shJy1PNzC6vBIHlDac68YwWc1r2Htg== X-Received: by 10.101.82.202 with SMTP id z10mr10125474pgp.404.1509802288173; Sat, 04 Nov 2017 06:31:28 -0700 (PDT) Received: from [10.0.1.111] (ip68-230-148-254.ri.ri.cox.net. [68.230.148.254]) by smtp.gmail.com with ESMTPSA id l79sm15725254pfb.33.2017.11.04.06.31.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 04 Nov 2017 06:31:27 -0700 (PDT) From: "Matt D." X-Google-Original-From: "Matt D." Subject: Re: No way to use ssh ~/.ssh/config with "noacl" option Reply-To: codespunk+cygwin@gmail.com References: <59FD8C99.8010703@gmail.com> <20171104113723.GC18070@calimero.vinschen.de> <59FDA8D9.6050808@gmail.com> To: cygwin@cygwin.com Message-ID: <59FDC12F.1080005@codespunk.com> Date: Sat, 04 Nov 2017 13:31:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <59FDA8D9.6050808@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2017-11/txt/msg00081.txt.bz2 On 11/4/2017 7:47 AM, Matt D. wrote: > On 11/4/2017 7:37 AM, Corinna Vinschen wrote: >> On Nov 4 05:47, Matt D. wrote: >>> I mount with "noacl" as I don't need ACLs for my purposes and prefer to >>> leave everything up to Windows permissions. >>> >>> The problem with this is that ssh insists that ~/.ssh/config be less >>> permissive. But this file is bound to --rw-r--r-- for this option. >>> >>> Would it be appropriate to request ssh to ignore this requirement when >>> "noacl" present on the mounted volume? >> >> Yes, in theory. However, this shouldn't be necessary. >> >> Ssh already has code to check extrem perms only in "acl" mounted >> directories, but it does not have this extra check for config files, >> basically because it was never necessary: >> >> If you use noacl, your file perms are faked to always be 644, or >> 444 if the DOS R/O bit is set, or 755/555 if executable/directory. >> Additionally all files are faked as if they are owned by your own >> account. >> >> Ssh checks the config file like this: >> >> if (((sb.st_uid != 0 && sb.st_uid != getuid()) || >> (sb.st_mode & 022) != 0)) >> fatal("Bad owner or permissions on %s", filename); >> >> Which means, 0644 permissions are perfectly fine. As are 755 perms >> for the ~/.ssh and ~ dirs. >> >> I just mounted my home dir "noacl". The perms are as expected: >> >> $ ls -ld . .ssh .ssh/config .ssh/id_local >> drwxr-xr-x 1 corinna vinschen 0 Nov 4 12:27 . >> drwxr-xr-x 1 corinna vinschen 0 Mar 14 2017 .ssh >> -rw-r--r-- 1 corinna vinschen 703 Jan 19 2017 .ssh/config >> -rw-r--r-- 1 corinna vinschen 7329 Jan 12 2017 .ssh/id_local >> >> Note especially the too open perms in case of the private keyfile >> "id_local". Still, I can ssh into one of my other machines just fine. >> >> How come this doesn't work for you? >> >> >> Corinna >> > > I don't know why it doesn't work for me other than the reported error. I > am trying to use ssh combined with git. My .ssh permissions are: > > $ls -ld . .ssh .ssh/config .ssh/github > drwxr-xr-x 1 Matthew D'Onofrio None 0 Nov 4 06:42 . > drwxr-xr-x 1 Matthew D'Onofrio None 0 Nov 4 04:51 .ssh > -rw-r--r-- 1 Matthew D'Onofrio None 80 Nov 4 04:51 .ssh/config > -rw-r--r-- 1 Matthew D'Onofrio None 3243 Nov 3 10:53 .ssh/github > > I removed the noacl option in fstab, re-ran Cygwin setup, set > .ssh/config to 600 and ssh was happy. I then reverted back to noacl and > the problem returned. > > I'm in the process of trying to build openssh with cygpath for debugging > but this is my first time building anything from Cygwin or using > cygports so it's taking some time. > > > Matt D. Please stand by. Looking into this further. Matt D. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple