Re: No way to use ssh ~/.ssh/config with "noacl" option
- Date: Wed, 8 Nov 2017 18:07:40 -0500
- From: "Matt D." <codespunk@xxxxxxxxx>
- Subject: Re: No way to use ssh ~/.ssh/config with "noacl" option
On 11/4/2017 1:38 PM, Matt D. wrote:
On 11/4/2017 1:15 PM, Matt D. wrote:
> On 11/4/2017 11:43 AM, Achim Gratz wrote:
>> That's the correct thing to do, even though you made this unnecessarily
>> hard for yourself by mounting your home directory with "noacl".
> It's not perfect but I've always had trouble with all of the
> modifications Cygwin makes to a file's permissions to support
> POSIX-style ACLs. I do miss being able to manage them with chmod and
> setfacl though.
> For those wishing to set their ssh config to 600 (as recognized by
> Cygwin's ssh), use the following:
> Reset file permissions:
> icacls config /t /q /c /reset
> Inheritence must be disabled to alter other groups:
> icacls config /inheritance:d
> Effectively regarded as "group":
> icacls config /remove:g "Authenticated Users"
> icacls config /remove:g "Users"
> Regarded as "other":
> icacls config /remove:g "Everyone"
> Add the current user as the owner:
> icacls config /grant "%USERNAME%:rw"
> Matt D.
My previous reply was missing "takeown" to take ownership. The correct
sequence of commands is:
icacls config /t /q /c /reset
icacls config /inheritance:d
takeown /f config
icacls config /remove:g "Authenticated Users"
icacls config /remove:g "Users"
icacls config /remove:g "Everyone"
icacls config /grant "%USERNAME%:rw"
This is equivalent to "chmod 600 config".
Here is a more portable version of taking ownership and setting
permissions to 600. It uses SIDs instead of literal names which may vary
icacls "id_rsa" /t /q /c /reset
icacls "id_rsa" /inheritance:d
takeown /f "id_rsa"
icacls "id_rsa" /remove *S-1-5-11
icacls "id_rsa" /remove *S-1-5-32-545
icacls "id_rsa" /remove *S-1-1-0
icacls "id_rsa" /grant "%USERNAME%:rw"
S-1-5-11 (Authenticated Users group)
S-1-5-32-545 (Users group)
S-1-1-0 (Everyone group)
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple