On Thu, 23 Feb 2006, Tim Daneliuk wrote: > Is anyone familiar with alternate access methods as they apply to > cygwin? If I edit /etc/hosts.allow, the alternate access method > (indicated by a '+' in an 'ls -l' listing) gets lost. Thereafter > /etc/hosts.allow is no longer properly observed by sshd - it makes ssh > logins impossible from anything other than localhost.
Cygwin isn't ACL-aware, and file creation operations don't retain the original ACLs -- Cygwin constructs them anew to reflect the permission mapping. See <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files>. To make sure you keep the ACLs, use an editor that edits files in-place, rather than making a copy (e.g., vim). > So ... how do I edit /etc/hosts.allow and retain the alternate access > method that appears to be crucial for proper sshd operation? The alternate access method is not crucial. What's crucial is that the files should be a) readable by SYSTEM, and b) not group/world-readable. To accomplish this, "chown SYSTEM.SYSTEM /etc/hosts.{allow,deny} && chmod 600 /etc/hosts.{allow,deny}" (this is more secure, anyway). No need for an alternate method. You can then temporarily chown them to your userid or "chmod a+w" for editing (restoring the owner/permissions afterwards). > P.S. Notice that merely copying the originally installed hosts.allow to > a backup copy causes the alternate access method to be lost: Same reason -- Cygwin isn't really ACL-aware. You can also restore the original ACLs by running something like "getfacl hosts.allow | setfacl -f - hosts.allow.orig" (assuming the owner stays the same). > -rwx------+ 1 tundra None 200 Feb 23 00:15 hosts.allow > -rwx------ 1 tundra None 200 Feb 23 00:15 hosts.allow.orig > -rwx------+ 1 tundra None 407 Feb 23 00:15 hosts.deny These files should really be owned by SYSTEM (or whatever user sshd runs as). HTH, Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ [EMAIL PROTECTED] | [EMAIL PROTECTED] ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte." "But no -- you are no fool; you call yourself a fool, there's proof enough in that!" -- Rostand, "Cyrano de Bergerac" -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
