Matt Kemmerer | 23 Jul 17:25 2008

ssh-host-config script fails

I've recently installed cygwin on a Windows XP box. I followed the same
procedure I have in the past but this time I received a number of
errors. Here's what I did:

* Downloaded setup.exe from cygwin.com
* Installed from the internet and selected emacs and OpenSSH to be
installed
* Started up a shell and typed ssh-host-config
In the past I was nearly done at this point but this time I received the
following error:

Administrator <at> ics-dp35xppro ~

$ ssh-host-config

/usr/bin/ssh-host-config: line 23:
/usr/share/csih/cygwin-service-installation-helper.sh: No such file or
directory
/usr/bin/ssh-host-config: line 466: csih_make_dir: command not found

/usr/bin/ssh-host-config: line 471: csih_make_dir: command not found

/usr/bin/ssh-host-config: line 489: csih_make_dir: command not found

chmod: cannot access `/var/empty': No such file or directory

setfacl: No such file or directory

/usr/bin/ssh-host-config: line 37: csih_inform: command not found

(Continue reading)

Corinna Vinschen | 23 Jul 18:34 2008

Re: ssh-host-config script fails

On Jul 23 11:25, Matt Kemmerer wrote:
> I've recently installed cygwin on a Windows XP box. I followed the same
> procedure I have in the past but this time I received a number of
> errors. Here's what I did:
> 
> * Downloaded setup.exe from cygwin.com
> * Installed from the internet and selected emacs and OpenSSH to be
> installed
> * Started up a shell and typed ssh-host-config
> In the past I was nearly done at this point but this time I received the
> following error:
> 
> Administrator <at> ics-dp35xppro ~
> 
> $ ssh-host-config
> 
> /usr/bin/ssh-host-config: line 23:
> /usr/share/csih/cygwin-service-installation-helper.sh: No such file or
> directory

Uh, yes, I missed to add the csih dependency to setup.hint.  I just
did that on cygwin.com, should be at the mirrors shortly.

> Administrator <at> ics-dp35xppro ~
> $ ssh-host-config
> *** Info: Creating default /etc/ssh_config file
> *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> *** Info: Creating default /etc/sshd_config file
> *** Info: Privilege separation is set to yes by default since OpenSSH
> 3.3.
(Continue reading)

Matt Kemmerer | 23 Jul 19:47 2008

RE: ssh-host-config script fails


-----Original Message-----
From: cygwin-owner <at> cygwin.com [mailto:cygwin-owner <at> cygwin.com] On Behalf
Of Corinna Vinschen
Sent: Wednesday, July 23, 2008 12:35 PM
To: cygwin <at> cygwin.com
Subject: Re: ssh-host-config script fails

On Jul 23 11:25, Matt Kemmerer wrote:
>> I've recently installed cygwin on a Windows XP box. I followed the
same
>> procedure I have in the past but this time I received a number of
>> errors. Here's what I did:
>> 
>> * Downloaded setup.exe from cygwin.com
>> * Installed from the internet and selected emacs and OpenSSH to be
>> installed
>> * Started up a shell and typed ssh-host-config
>> In the past I was nearly done at this point but this time I received
the
>> following error:
>> 
>> Administrator <at> ics-dp35xppro ~
>> 
>> $ ssh-host-config
>> 
>> /usr/bin/ssh-host-config: line 23:
>> /usr/share/csih/cygwin-service-installation-helper.sh: No such file
or
>> directory
(Continue reading)

Corinna Vinschen | 23 Jul 20:02 2008

Re: ssh-host-config script fails

On Jul 23 13:47, Matt Kemmerer wrote:
> What version of csih should I look for with the fix? All the versions I
> see on the mirror were modified on 7/19.

There is no fix for csih yet.  As a workaround, install the older
OpenSSH 5.0p1-1.  I changed the installation dir on cygwin.com, so that
that version should be available (again) on the mirrors in a couple of
hours.

Corinna

--

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Matt Kemmerer | 23 Jul 20:09 2008

RE: ssh-host-config script fails

>There is no fix for csih yet.  As a workaround, install the older
>OpenSSH 5.0p1-1.  I changed the installation dir on cygwin.com, so that
>that version should be available (again) on the mirrors in a couple of
>hours.

>Corinna

Thanks, I'll install the old version for now. I look forward to the
fixed release.

--Matt

Corinna Vinschen | 24 Jul 11:22 2008

CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Hi Chuck,

On Jul 23 18:34, Corinna Vinschen wrote:
> On Jul 23 11:25, Matt Kemmerer wrote:
> > Administrator <at> ics-dp35xppro ~
> > $ ssh-host-config
> > *** Info: Creating default /etc/ssh_config file
> > *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> > *** Info: Creating default /etc/sshd_config file
> > *** Info: Privilege separation is set to yes by default since OpenSSH
> > 3.3.
> > *** Info: However, this requires a non-privileged account called 'sshd'.
> > *** Info: For more info on privilege separation read
> > /usr/share/doc/openssh/README.privsep.
> > *** Query: Should privilege separation be used? (yes/no) yes
> > *** Warning: The owner and the Administrators need
> > *** Warning: to have .w. permission to /var/run.
> > *** Warning: Here are the current permissions:
> > *** Warning: drwxr-xr-x 2 Administrator None 0 Jul 23 10:21 /var/run
> > *** Warning: Please change the user and/or group ownership and
> > *** Warning: permissions of /var/run.
> > *** ERROR: Problem with /var/run directory. Exiting.
> > 
> > I've tried changing the permissions on /var/run but the commands chgrp
> > and chmod both produce no error but do not change the permissions
> > either.
> 
> Eeek!  You're using FAT32 on a NT based OS?  This isn't such a good
> idea, actually.  There's no security and no permission settings on FAT.
> The csih script seems to miss the fact that the directory is on a
(Continue reading)

Corinna Vinschen | 30 Jul 14:49 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Chuck?

On Jul 24 11:22, Corinna Vinschen wrote:
> Hi Chuck,
> 
> On Jul 23 18:34, Corinna Vinschen wrote:
> > On Jul 23 11:25, Matt Kemmerer wrote:
> > > Administrator <at> ics-dp35xppro ~
> > > $ ssh-host-config
> > > *** Info: Creating default /etc/ssh_config file
> > > *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> > > *** Info: Creating default /etc/sshd_config file
> > > *** Info: Privilege separation is set to yes by default since OpenSSH
> > > 3.3.
> > > *** Info: However, this requires a non-privileged account called 'sshd'.
> > > *** Info: For more info on privilege separation read
> > > /usr/share/doc/openssh/README.privsep.
> > > *** Query: Should privilege separation be used? (yes/no) yes
> > > *** Warning: The owner and the Administrators need
> > > *** Warning: to have .w. permission to /var/run.
> > > *** Warning: Here are the current permissions:
> > > *** Warning: drwxr-xr-x 2 Administrator None 0 Jul 23 10:21 /var/run
> > > *** Warning: Please change the user and/or group ownership and
> > > *** Warning: permissions of /var/run.
> > > *** ERROR: Problem with /var/run directory. Exiting.
> > > 
> > > I've tried changing the permissions on /var/run but the commands chgrp
> > > and chmod both produce no error but do not change the permissions
> > > either.
> > 
(Continue reading)

Charles Wilson | 31 Jul 06:53 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Corinna Vinschen wrote:
>> On Jul 23 18:34, Corinna Vinschen wrote:
>>> On Jul 23 11:25, Matt Kemmerer wrote:
>>>> Administrator <at> ics-dp35xppro ~
>>>> $ ssh-host-config
>>>> *** Warning: The owner and the Administrators need
>>>> *** Warning: to have .w. permission to /var/run.
>>>> *** Warning: Here are the current permissions:
>>>> *** Warning: drwxr-xr-x 2 Administrator None 0 Jul 23 10:21 /var/run
>>>> *** Warning: Please change the user and/or group ownership and
>>>> *** Warning: permissions of /var/run.
>>>> *** ERROR: Problem with /var/run directory. Exiting.

>>> Eeek!  You're using FAT32 on a NT based OS?  This isn't such a good
>>> idea, actually.  There's no security and no permission settings on FAT.
>>> The csih script seems to miss the fact that the directory is on a
>>> non-NTFS drive which isn't capable of setting permissions.  Given that
>>> you're installing ssh, which is a paranoid secure playing package,
>>> that's actually a good idea.  Ever thought of running convert.exe on
>>> your drive? ;) 
>>>
>>> Nevertheless that should be changed in csih.
>> Could you have a look into this, please?

I'm not sure what you think csih should do, here.  The whole point is 
that we know services require certain things of the system directories, 
or they won't work.  Are you suggesting that csih just ignore that, and 
pretend to correctly install sshd on a FAT32 system?

Only to have sshd itself fail for some hard-for-a-newbie-to-diagnose reason?
(Continue reading)

Corinna Vinschen | 31 Jul 09:50 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

On Jul 31 00:53, Charles Wilson wrote:
> Corinna Vinschen wrote:
>>>> Eeek!  You're using FAT32 on a NT based OS?  This isn't such a good
>>>> idea, actually.  There's no security and no permission settings on FAT.
>>>> The csih script seems to miss the fact that the directory is on a
>>>> non-NTFS drive which isn't capable of setting permissions.  Given that
>>>> you're installing ssh, which is a paranoid secure playing package,
>>>> that's actually a good idea.  Ever thought of running convert.exe on
>>>> your drive? ;) 
>>>> Nevertheless that should be changed in csih.
>>> Could you have a look into this, please?
>
> I'm not sure what you think csih should do, here.  The whole point is that 
> we know services require certain things of the system directories, or they 
> won't work.  Are you suggesting that csih just ignore that, and pretend to 
> correctly install sshd on a FAT32 system?
>
> Only to have sshd itself fail for some hard-for-a-newbie-to-diagnose 
> reason?

Sshd won't fail on FAT32 since it checks the file system capbailities
before checking for strict permissions.

> Perhaps, rather than checking:
>    # daemons need access to subdirs, so need traverse permissions...
>    if ! csih_check_dir_perms "${LOCALSTATEDIR}" d..x..x..x ; then ERROR
>[...]
> in _csih_setup() (which is called by the main csih entry points), those 
> permission checks could be delegated to the foo_install scripts which know 
> more about their own specific requirements, rather than the fairly general 
(Continue reading)

Charles Wilson | 5 Aug 02:51 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Corinna Vinschen wrote:
> A check for non-NTFS should be sufficient for now, IMHO.  It's bad
> enough to run an OS on such an insecure file system, but it's hard to
> enforce upgrading to NTFS.  However, ntsec and smbntsec are dead in the
> water and I don't think we should encourage usage of noacl more than
> necessary, especially for sensitive services.

So, I'd basically need to check the fstype for each of the directories 
of interest (they MAY all be on the same volume, but not necessarily).
    /var
    /var/run
    /var/log
    /var/empty
    /etc
So, how do I do that portably?  The 1.7 version of mount returns that 
information, but the 1.5 version does not.  What if I import your 
getvolinfo program
   http://cygwin.com/ml/cygwin/2007-08/msg00040.html
as one of the csih helper progs, and put it under /usr/lib/csih/ 
(alternatively, import getvolinfo into cygutils).

In that case, I wouldn't need to check for NTFS at all -- instead, I'd 
check for "FILE_PERSISTENT_ACLS[ ]*: TRUE", right?

Or is there a better way?

--
Chuck

(Continue reading)

Corinna Vinschen | 7 Aug 10:14 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

On Aug  4 20:51, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> A check for non-NTFS should be sufficient for now, IMHO.  It's bad
>> enough to run an OS on such an insecure file system, but it's hard to
>> enforce upgrading to NTFS.  However, ntsec and smbntsec are dead in the
>> water and I don't think we should encourage usage of noacl more than
>> necessary, especially for sensitive services.
>
> So, I'd basically need to check the fstype for each of the directories of 
> interest (they MAY all be on the same volume, but not necessarily).
>    /var
>    /var/run
>    /var/log
>    /var/empty
>    /etc
> So, how do I do that portably?  The 1.7 version of mount returns that 
> information, but the 1.5 version does not.  What if I import your 

Oh, right.

> getvolinfo program
>   http://cygwin.com/ml/cygwin/2007-08/msg00040.html
> as one of the csih helper progs, and put it under /usr/lib/csih/ 
> (alternatively, import getvolinfo into cygutils).
>
> In that case, I wouldn't need to check for NTFS at all -- instead, I'd 
> check for "FILE_PERSISTENT_ACLS[ ]*: TRUE", right?

Sounds like a good idea to me.  OTOH, whatever you test, you might not
cover all situations.  What about letting the user override the test?
(Continue reading)

Charles Wilson | 7 Aug 17:37 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Corinna Vinschen wrote:
> On Aug  4 20:51, Charles Wilson wrote:

>> getvolinfo program
>>   http://cygwin.com/ml/cygwin/2007-08/msg00040.html
>> as one of the csih helper progs, and put it under /usr/lib/csih/ 
>> (alternatively, import getvolinfo into cygutils).
>>
>> In that case, I wouldn't need to check for NTFS at all -- instead, I'd 
>> check for "FILE_PERSISTENT_ACLS[ ]*: TRUE", right?
> 
> Sounds like a good idea to me.  OTOH, whatever you test, you might not
> cover all situations.  What about letting the user override the test?

Well, I can set up a new variable that calling scripts could assert, in 
order to force behavior one way or the other. But it would be up to the 
calling scripts to create a command line option so that the end user 
could override behavior. (although I suppose the end user could set them 
as exported environment vars)

I'm thinking something like a list of mount points that are/are-not ACL 
capable:

csih_WIN32_VOLS_WITH_ACLS="E:;//server/share;F:"
csih_WIN32_VOLS_WITHOUT_ACLS="C:;D:;//server/othershare"

Then these lists would be checked first, before using getvolinfo for 
unspecified mounts. That is:

csih_path_supports_acls()
(Continue reading)

Charles Wilson | 7 Aug 23:38 2008

Re: CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Charles Wilson wrote:

> csih_WIN32_VOLS_WITH_ACLS="E:;//server/share;F:"
> csih_WIN32_VOLS_WITHOUT_ACLS="C:;D:;//server/othershare"
> 
> Then these lists would be checked first, before using getvolinfo for 
> unspecified mounts. That is:
> 
> csih_path_supports_acls()
> {
>     # convert $1 to win32
>     # check if it starts with any of the volumes
>     #   in csih_WIN32_VOLS_WITH_ACLS (\,/-agnostic)
>     #   and return true
>     # check if it starts with any of the volumes
>     #   in csih_WIN32_VOLS_WITHOUT_ACLS (\,/-agnostic)
>     #   and return false
>     return getvolinfo $1 | egrep "FILE_PERSISTENT_ACLS[ ]*: TRUE"
> }

As attached.

--
Chuck
Attachment (csih_path_supports_acls.sh.gz): application/gzip, 2673 bytes
Charles Wilson wrote:

> csih_WIN32_VOLS_WITH_ACLS="E:;//server/share;F:"
(Continue reading)


Gmane