On Aug 29 15:36, Ken Brown wrote: > On 8/29/2014 3:23 PM, Achim Gratz wrote: > >Ken Brown writes: > >>With the latest snapshot I can't start the sshd service. The > >>Application Log just says, "`sshd' service stopped, exit > >>status:255". The problem doesn't occur with the 2014-08-27 snapshot. > >>I guess this has something to do with the new permissions on various > >>files, but I'm not sure which ones. > > > >Off the top of my head for the standard installation: > > > >/etc/ssh* > >/var/empty > >/var/log/sshd > > > >When you try to debug the sshd, IIR these are the files that must be > >chown'ed to the admin user that runs sshd from the terminal. Running in > >debug mode (either from the terminal or via sshd_config) should produce > >messages which file or directory sshd is choking on. > > I just checked /var/log/sshd.log. (I hadn't thought to do that before.) > The last message in it is, "/var/empty must be owned by root and not group > or world-writable." So the problem seems to be that /var/empty appears to > sshd to be group writable under the latest snapshot. This is the "downside" > that Corinna mentioned. What needs to be done to /var/empty to fix this?
What needs to be done is to fix the ssh-host-config script. It adds an ACE for SYSTEM on /var/empty, /etc, and /var/log for no apparent reason. I just sent a patch upstream which removes the code trying to generate /etc and /var/log entirely (done by setup.exe) and which drops adding a SYSTEM ACE to /var/empty. A temporary workaround is either to remove the SYSTEM ACE: $ setfacl -d g:18: /var/empty or to change /etc/sshd_config not to use privilege separation: UsePrivilegeSeparation no However, this is obviously a problem for all existing installations. OpenSSH 6.7p1 will be released pretty soon. I will add a postinstall script which removes the SYSTEM ACE from /var/empty at installation time. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpvDRoiP3Mx5.pgp
Description: PGP signature
