Permissions question / issue

Permissions question / issue

[Eliot Moss]

Dear cygwin'ers -

I seem to be caught in a bind with the Cygwin permissions setup.

ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).

However, my backup program runs as SYSTEM and needs access.  I tried to
provide that access by adding an ACL g:SYSTEM:r-x, but that appears as
rw-r-x--- and ssh doesn't like it.

I seem to recall that at some point in the past we agreed to ignore the
permissions given to SYSTEM when computing effective permission (e.g., as
output by ls -l).  That would suit the purpose.

Did something change?  or am I misremembering the solution to the conundrum?

Note: I have Administrator privilege on my machine, but that doesn't help,
since the backup tool runs under SYSTEM, a different account.

Best wishes - Eliot Moss

Re: Permissions question / issue

[Eliot Moss]

On 4/13/2023 11:03 PM, Eliot Moss via Cygwin wrote:
> Dear cygwin'ers -
> 
> I seem to be caught in a bind with the Cygwin permissions setup.
> 
> ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).

---> should have read no *more* permissive (sent too late at night!)

> However, my backup program runs as SYSTEM and needs access.  I tried to
> provide that access by adding an ACL g:SYSTEM:r-x, but that appears as
> rw-r-x--- and ssh doesn't like it.
> 
> I seem to recall that at some point in the past we agreed to ignore the
> permissions given to SYSTEM when computing effective permission (e.g., as
> output by ls -l).  That would suit the purpose.
> 
> Did something change?  or am I misremembering the solution to the conundrum?
> 
> Note: I have Administrator privilege on my machine, but that doesn't help,
> since the backup tool runs under SYSTEM, a different account.
> 
> Best wishes - Eliot Moss
> 

Re: Permissions question / issue

[Corinna Vinschen]

On Apr 13 23:03, Eliot Moss via Cygwin wrote:
> Dear cygwin'ers -
> 
> I seem to be caught in a bind with the Cygwin permissions setup.
> 
> ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).

Huh?  No, it doesn't, usually.  My file has perms rw-r--r-- (644) and
that's perfectly fine.  Also, I tried the same setting as you did,
i. e.

$ getfacl config
# file: config
# owner: corinna
# group: vinschen
user::rw-
group::---
group:SYSTEM:r-x
mask::r-x
other::---

And ssh still works as desired and does not throw any error.

You can also add g:SYSTEM:r-x to the directories and it should have
no negative side effect.  I just did that with ~/.ssh and ssh still
works as expected.


Corinna

Re: Permissions question / issue

[Eliot Moss]

On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote:
> On Apr 13 23:03, Eliot Moss via Cygwin wrote:
>> Dear cygwin'ers -
>>
>> I seem to be caught in a bind with the Cygwin permissions setup.
>>
>> ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).
> 
> Huh?  No, it doesn't, usually.  My file has perms rw-r--r-- (644) and
> that's perfectly fine.  Also, I tried the same setting as you did,
> i. e.
> 
> $ getfacl config
> # file: config
> # owner: corinna
> # group: vinschen
> user::rw-
> group::---
> group:SYSTEM:r-x
> mask::r-x
> other::---
> 
> And ssh still works as desired and does not throw any error.
> 
> You can also add g:SYSTEM:r-x to the directories and it should have
> no negative side effect.  I just did that with ~/.ssh and ssh still
> works as expected.

Of course you're entirely right, Corinna!  Not sure how I got it
in my head that it needed 600 permissions.  Thank you for clarifying!

However ... ssh *does* demand that key files be accessible only by
the user.  Is there a solution - if necessary using Windows tools -
to make ssh happy while allowing a SYSTEM backup tool to back up
the file?

Regards - Eliot

Re: Permissions question / issue

[Eliot Moss]

On 4/14/2023 3:43 PM, Eliot Moss via Cygwin wrote:
> On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote:
>> On Apr 13 23:03, Eliot Moss via Cygwin wrote:
>>> Dear cygwin'ers -
>>>
>>> I seem to be caught in a bind with the Cygwin permissions setup.
>>>
>>> ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).
>>
>> Huh?  No, it doesn't, usually.  My file has perms rw-r--r-- (644) and
>> that's perfectly fine.  Also, I tried the same setting as you did,
>> i. e.
>>
>> $ getfacl config
>> # file: config
>> # owner: corinna
>> # group: vinschen
>> user::rw-
>> group::---
>> group:SYSTEM:r-x
>> mask::r-x
>> other::---
>>
>> And ssh still works as desired and does not throw any error.
>>
>> You can also add g:SYSTEM:r-x to the directories and it should have
>> no negative side effect.  I just did that with ~/.ssh and ssh still
>> works as expected.
> 
> Of course you're entirely right, Corinna!  Not sure how I got it
> in my head that it needed 600 permissions.  Thank you for clarifying!
> 
> However ... ssh *does* demand that key files be accessible only by
> the user.  Is there a solution - if necessary using Windows tools -
> to make ssh happy while allowing a SYSTEM backup tool to back up
> the file?

More info:

At present I have:

$ getfacl id_rsa2
# file: id_rsa2
# owner: moss
# group: moss
user::rw-
group::---
group:SYSTEM:r--        #effective:---
mask::---
other::---

$ icacls id_rsa2
id_rsa2 NULL SID:(DENY)(Rc,DC)
         ELIOT-SURFACE-3\moss:(R,W,D,WDAC,WO)
         ELIOT-SURFACE-3\moss:(Rc,S,RA)
         NT AUTHORITY\SYSTEM:(R)
         Everyone:(Rc,S,RA)

I don't claim expert level understanding of the Windows access
scheme, but Windows Explorer believes that SYSTEM has read access
to the file, so I suppose this will work.  I guess we're kind of
lying to cygwin a little - but in a way that is useful here.

Best wishes - Eliot

Re: Permissions question / issue

[Corinna Vinschen]

On Apr 14 15:43, Eliot Moss via Cygwin wrote:
> On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote:
> > On Apr 13 23:03, Eliot Moss via Cygwin wrote:
> > > Dear cygwin'ers -
> > > 
> > > I seem to be caught in a bind with the Cygwin permissions setup.
> > > 
> > > ssh insists that ~/.ssh/config have permissions no less permissive than rw------- (600).
> > 
> > Huh?  No, it doesn't, usually.  My file has perms rw-r--r-- (644) and
> > that's perfectly fine.  Also, I tried the same setting as you did,
> > i. e.
> > 
> > $ getfacl config
> > # file: config
> > # owner: corinna
> > # group: vinschen
> > user::rw-
> > group::---
> > group:SYSTEM:r-x
> > mask::r-x
> > other::---
> > 
> > And ssh still works as desired and does not throw any error.
> > 
> > You can also add g:SYSTEM:r-x to the directories and it should have
> > no negative side effect.  I just did that with ~/.ssh and ssh still
> > works as expected.
> 
> Of course you're entirely right, Corinna!  Not sure how I got it
> in my head that it needed 600 permissions.  Thank you for clarifying!
> 
> However ... ssh *does* demand that key files be accessible only by
> the user.

Hmm, right.  I should have thought of that.

> Is there a solution - if necessary using Windows tools -
> to make ssh happy while allowing a SYSTEM backup tool to back up
> the file?

Well, you could run a script before and after running the backup
tool which adds/removes SYSTEM perms to the affected files.

Alternatively you could do a fake from inside the Cygwin env:

- Move ~/.ssh to ~/.ssh-realperms

- Set the permissions in ~/.ssh-realperms as desired so they
  are secure *and* allow the backup tool to operate on them.

- Add a mount point to /etc/fstab.d/eliot:

  C:/cygwin64/home/eliot/.ssh-realperms /home/eliot/.ssh noacl 0 0

I didn't try that myself yet, but that should do what you want, because
ssh checks if the underlying filesystem (or mount point) accepts POSIX
permissions.  If not, certain permission checks are skipped.


HTH,
Corinna

Re: Permissions question / issue

[Corinna Vinschen]

On Apr 14 15:49, Eliot Moss via Cygwin wrote:
> At present I have:
> 
> $ getfacl id_rsa2
> # file: id_rsa2
> # owner: moss
> # group: moss
> user::rw-
> group::---
> group:SYSTEM:r--        #effective:---
> mask::---
> other::---
> 
> $ icacls id_rsa2
> id_rsa2 NULL SID:(DENY)(Rc,DC)
>         ELIOT-SURFACE-3\moss:(R,W,D,WDAC,WO)
>         ELIOT-SURFACE-3\moss:(Rc,S,RA)
>         NT AUTHORITY\SYSTEM:(R)
>         Everyone:(Rc,S,RA)
> 
> I don't claim expert level understanding of the Windows access
> scheme, but Windows Explorer believes that SYSTEM has read access
> to the file, so I suppose this will work.  I guess we're kind of
> lying to cygwin a little - but in a way that is useful here.

Oh, cool, of course!  Given "mask" is POSIX-only, the backup tool should
work nicely.

Great solution!  I should have thought of that myself, given how long
I have hacked on this POSIX ACL stuff...


Corinna