On Apr 14 15:43, Eliot Moss via Cygwin wrote:
> On 4/14/2023 3:11 PM, Corinna Vinschen via Cygwin wrote:
> > On Apr 13 23:03, Eliot Moss via Cygwin wrote:
> > > Dear cygwin'ers -
> > > 
> > > I seem to be caught in a bind with the Cygwin permissions setup.
> > > 
> > > ssh insists that ~/.ssh/config have permissions no less permissive than 
> > > rw------- (600).
> > 
> > Huh?  No, it doesn't, usually.  My file has perms rw-r--r-- (644) and
> > that's perfectly fine.  Also, I tried the same setting as you did,
> > i. e.
> > 
> > $ getfacl config
> > # file: config
> > # owner: corinna
> > # group: vinschen
> > user::rw-
> > group::---
> > group:SYSTEM:r-x
> > mask::r-x
> > other::---
> > 
> > And ssh still works as desired and does not throw any error.
> > 
> > You can also add g:SYSTEM:r-x to the directories and it should have
> > no negative side effect.  I just did that with ~/.ssh and ssh still
> > works as expected.
> 
> Of course you're entirely right, Corinna!  Not sure how I got it
> in my head that it needed 600 permissions.  Thank you for clarifying!
> 
> However ... ssh *does* demand that key files be accessible only by
> the user.

Hmm, right.  I should have thought of that.

> Is there a solution - if necessary using Windows tools -
> to make ssh happy while allowing a SYSTEM backup tool to back up
> the file?

Well, you could run a script before and after running the backup
tool which adds/removes SYSTEM perms to the affected files.

Alternatively you could do a fake from inside the Cygwin env:

- Move ~/.ssh to ~/.ssh-realperms

- Set the permissions in ~/.ssh-realperms as desired so they
  are secure *and* allow the backup tool to operate on them.

- Add a mount point to /etc/fstab.d/eliot:

  C:/cygwin64/home/eliot/.ssh-realperms /home/eliot/.ssh noacl 0 0

I didn't try that myself yet, but that should do what you want, because
ssh checks if the underlying filesystem (or mount point) accepts POSIX
permissions.  If not, certain permission checks are skipped.


HTH,
Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to