RE: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

RE: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Harig, Mark A.]

> -----Original Message-----
> From: Chris Metcalf [mailto:metcalf@incert.com]
> Sent: Thursday, June 27, 2002 1:28 PM
> To: cygwin@cygwin.com
> Subject: Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1
> 
> 
> On Thu, 27 Jun 2002, Corinna Vinschen wrote:
> > The Cygwin version modifies that test so that if /var/empty resides
> > on a FAT or FAT32 filesystem, or if ntsec is not activated, the
> > ownership isn't tested at all.  If /var/empty is on a NTFS 
> filesystem
> > and ntsec is switched on, the ownership is checked against the user
> > running sshd.
> 
> Thanks.  This was indeed the problem (I'm running ntfs, ntsec).
> 
> I saw your note about one small change and it didn't occur to 
> that it was
> exactly the one thing that I went into the "official" sources 
> in search of!
> 
> Some words to this effect should go into 
> /usr/doc/openssh/README.privsep
> as well, since it still talks about a "chown root:sys 
> /var/empty" being
> required.
> 

Perhaps this information should go into
/usr/doc/Cygwin/openssh-3.4p1-1.README instead?

My understanding of the documentation setup is
that Cygwin-specific information goes into
/usr/doc/Cygwin, while the "official" 
(non-Cygwin-specific) documents go into
/usr/doc/<package-name>.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Corinna Vinschen]

On Thu, Jun 27, 2002 at 01:51:41PM -0400, Harig, Mark A. wrote:
> Perhaps this information should go into
> /usr/doc/Cygwin/openssh-3.4p1-1.README instead?
> 
> My understanding of the documentation setup is
> that Cygwin-specific information goes into
> /usr/doc/Cygwin, while the "official" 
> (non-Cygwin-specific) documents go into
> /usr/doc/<package-name>.

You're right and I will change the /usr/doc/Cygwin/openssh-*.README
to add some text

Question:  Would you and others think it's a good idea to create
a local user "sshd" and the /var/empty directory from ssh-host-config?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Kim Scarborough]

> Question:  Would you and others think it's a good idea to create
> a local user "sshd" and the /var/empty directory from ssh-host-config?

Yes, definitely. And it should enable UsePrivilegeSeparation by default.

------------------------------------------------------------------------------
Kim Scarborough                                     http://www.unknown.nu/kim/
------------------------------------------------------------------------------



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Corinna Vinschen]

On Fri, Jun 28, 2002 at 07:28:22AM -0700, Karl M wrote:
> Hi Corinna...
> 
> >Question:  Would you and others think it's a good idea to create
> >a local user "sshd" and the /var/empty directory from ssh-host-config?
> >
> >Corinna
> 
> Yes...I think it would be a good idea...at least on an NT class machine. It 
> should probably ask the user first, just like it does on other steps in 
> ssh-host-config.

Sure.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Karl M]

Hi Corinna...

>Question:  Would you and others think it's a good idea to create
>a local user "sshd" and the /var/empty directory from ssh-host-config?
>
>Corinna

Yes...I think it would be a good idea...at least on an NT class machine. It 
should probably ask the user first, just like it does on other steps in 
ssh-host-config.

Thanks,

...Karl


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Mark Bradshaw]

Looked like there was some possibility that /var/empty might not be a
permanent thing, but even so it won't hurt anything if it's still around.
Would you try to create a windows user "sshd"?  I'd think that would be
necessary for it to work, and some may not like that.  However, in general
getting privsep to work by default would seem to be a good thing.

> -----Original Message-----
> From: Corinna Vinschen [mailto:corinna-cygwin@cygwin.com]
> Sent: Friday, June 28, 2002 4:07 AM
> To: cygwin@cygwin.com
> Subject: Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1
> 
> 
> On Thu, Jun 27, 2002 at 01:51:41PM -0400, Harig, Mark A. wrote:
> > Perhaps this information should go into
> > /usr/doc/Cygwin/openssh-3.4p1-1.README instead?
> > 
> > My understanding of the documentation setup is
> > that Cygwin-specific information goes into
> > /usr/doc/Cygwin, while the "official" 
> > (non-Cygwin-specific) documents go into
> > /usr/doc/<package-name>.
> 
> You're right and I will change the /usr/doc/Cygwin/openssh-*.README
> to add some text
> 
> Question:  Would you and others think it's a good idea to create
> a local user "sshd" and the /var/empty directory from ssh-host-config?
> 
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails 
> regarding Cygwin to
> Cygwin Developer                                
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: [ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Chris Metcalf]

On Thu, 27 Jun 2002, Corinna Vinschen wrote:
> The Cygwin version modifies that test so that if /var/empty resides
> on a FAT or FAT32 filesystem, or if ntsec is not activated, the
> ownership isn't tested at all.  If /var/empty is on a NTFS filesystem
> and ntsec is switched on, the ownership is checked against the user
> running sshd.

Thanks.  This was indeed the problem (I'm running ntfs, ntsec).

I saw your note about one small change and it didn't occur to that it was
exactly the one thing that I went into the "official" sources in search of!

Some words to this effect should go into /usr/doc/openssh/README.privsep
as well, since it still talks about a "chown root:sys /var/empty" being
required.

                Chris Metcalf -- InCert Software -- 1 (617) 621 8080
                metcalf@incert.com -- http://www.incert.com/~metcalf


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

[ANNOUNCEMENT] Re: Updated: OpenSSH-3.4p1-1

[Corinna Vinschen]

On Wed, Jun 26, 2002 at 06:50:10PM +0200, Corinna Vinschen wrote:
> I've updated the version of OpenSSH to 3.4p1-1.
> 
> This is a official bug fix release.
> 
> Note that the Cygwin source differs in one file from the official
> source since a last minute patch of the official OpenSSH maintainers
> did break privilege separation for Cygwin again :-(  So the Cygwin
> source archive contains a patched sshd.c.

Since that message wasn't as clear as I hoped, I have to add the
following text:

The code added by the OpenSSH maintainers checked the /var/empty
directory for ownership 'root'.  This is obviously not useful on
Cygwin.

The Cygwin version modifies that test so that if /var/empty resides
on a FAT or FAT32 filesystem, or if ntsec is not activated, the
ownership isn't tested at all.  If /var/empty is on a NTFS filesystem
and ntsec is switched on, the ownership is checked against the user
running sshd.  Hint: If sshd is started as service under SYSTEM
account, the ownership is checked to be SYSTEM...

Any further question as usual to cygwin@cygwin.com.  Please don't
send private email.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/