Mail Archives: cygwin/2019/07/06/15:36:14

www.delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/07/06/15:36:14

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type; q=dns; s=default; b=nuCMe

5u1vtAE/C//aWu2xAC0kC5m09znRQm2Q6stt460p9KU3JilyDiVGflaR08g7huW/

Qcbeaq7zVPhLD9fr2uPey6GRH/SOS/FTSEX+g6plwJiPTq0VfKWP0GTutGPZfq17

I1FYpg9iKEM7MB5g+SaFFc5NCSg2vSqivwNVY0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:from:to:subject:references:date:in-reply-to

:message-id:mime-version:content-type; s=default; bh=uhcbHOGee8d

FsIvpXu4fftQeB0I=; b=AqVZcpSNWnq7rArINLpVs4eWcVVXLsXpEr/GZsp/Pg9

8pPjlQCgth1okMNJC8Gg6okyhu3aboUwjfVoIVVWhsffwS3A8NexVkOApGZdH2cf

vbvPcHL+M8bvQY0FennJTCYrAsly8XbBneHzexgl7M22ozKyIiq2AVsJB9cIUXb0

=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=2.6 required=5.0 tests=AWL,BAYES_05,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,SPAM_URI,SPF_PASS autolearn=no version=3.3.1 spammy=eat, diy, DIY, hes

X-HELO: vsmx011.vodafonemail.xion.oxcs.net

From: Achim Gratz <Stromeko AT nexgo DOT de>

To: cygwin AT cygwin DOT com

Subject: Re: Domain User restrictions - Windows server 2012 R2

References: <9e8b10829e18453f9e3af064a0d67c7c AT ATGRZSW1694 DOT avl01 DOT avlcorp DOT lan>

Date: Sat, 06 Jul 2019 21:35:06 +0200

In-Reply-To: <9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan> (Daniel Bergbauer's message of "Wed, 3 Jul 2019 08:41:23 +0000")

Message-ID: <8736jjt0r9.fsf@Rainer.invalid>

User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)

MIME-Version: 1.0

Bergbauer, Daniel AVL/DE via cygwin writes:
> Informations:
> *       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
> *       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
> *       Added every Domain User to passwd file.

Lots of cargo-culting there.  Get rid of the group and passwd files and
use AD instead (it's the default anyway).  I'd avoid password-based
logins with SSH and go public key only in your setup (unless the users
need to be able to use their credentials on the network).

> *       Mapped following directories in fstab file:
> 1.      C:/tools/cygwin /
> 2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
> 3.      C:/tools/cygwin/bin /usr/bin
> 4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

None of this is really needed, but you could keep 2. (it's slightly
better to use /etc/fstab.d/username for that).

> * Created RSA keys for EVERY user on the user's machine and put it
> into his/her home folder on the server with ssh-copy-id
> ... (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).  Everyone is now
> able to connect to his folder on the server without giving his/her
> windows password again (I had to do this because my tool to synch
> works with 'rsync')

So, disallow password-based logins.

> What I want now is, to restrict every user, who connects to the server
> via ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to
> login normally via ssh but is also able to cd for example into
> C:\Windows or worse into C:\projects\'other username'\'absolute secret
> project'.

There is no way to restrict the user from exercising permissions that he
already has.  So you'd need to make sure that the DACL on the user
directories are set up so that nobody can peek into another users
directory.  Pls you must arrange it so that the user can not change the
DACL.  There is no chroot or similar on Windows.  You could perhapos try
if Windows containers or a VM provide enough isolation, but that may not
be a workable option on Server 2012 and eat too many resources depending
on the number of users.

Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type; q=dns; s=default; b=nuCMe
	5u1vtAE/C//aWu2xAC0kC5m09znRQm2Q6stt460p9KU3JilyDiVGflaR08g7huW/
	Qcbeaq7zVPhLD9fr2uPey6GRH/SOS/FTSEX+g6plwJiPTq0VfKWP0GTutGPZfq17
	I1FYpg9iKEM7MB5g+SaFFc5NCSg2vSqivwNVY0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:references:date:in-reply-to
	:message-id:mime-version:content-type; s=default; bh=uhcbHOGee8d
	FsIvpXu4fftQeB0I=; b=AqVZcpSNWnq7rArINLpVs4eWcVVXLsXpEr/GZsp/Pg9
	8pPjlQCgth1okMNJC8Gg6okyhu3aboUwjfVoIVVWhsffwS3A8NexVkOApGZdH2cf
	vbvPcHL+M8bvQY0FennJTCYrAsly8XbBneHzexgl7M22ozKyIiq2AVsJB9cIUXb0
	=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=2.6 required=5.0 tests=AWL,BAYES_05,KAM_NUMSUBJECT,RCVD_IN_DNSWL_LOW,SPAM_URI,SPF_PASS autolearn=no version=3.3.1 spammy=eat, diy, DIY, hes
X-HELO:	vsmx011.vodafonemail.xion.oxcs.net
From:	Achim Gratz <Stromeko AT nexgo DOT de>
To:	cygwin AT cygwin DOT com
Subject:	Re: Domain User restrictions - Windows server 2012 R2
References:	<9e8b10829e18453f9e3af064a0d67c7c AT ATGRZSW1694 DOT avl01 DOT avlcorp DOT lan>
Date:	Sat, 06 Jul 2019 21:35:06 +0200
In-Reply-To:	<9e8b10829e18453f9e3af064a0d67c7c@ATGRZSW1694.avl01.avlcorp.lan> (Daniel Bergbauer's message of "Wed, 3 Jul 2019 08:41:23 +0000")
Message-ID:	<8736jjt0r9.fsf@Rainer.invalid>
User-Agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version:	1.0