This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Domain User restrictions - Windows server 2012 R2

Bergbauer, Daniel AVL/DE via cygwin writes:
> Informations:
> *       Cygwin (also ssh service) on the server is up and running on C:\tools\cygwin
> *       Added Domain Users group to /etc/group of cygwin installation (means everyone can login with their windows password!):
> *       Added every Domain User to passwd file.

Lots of cargo-culting there.  Get rid of the group and passwd files and
use AD instead (it's the default anyway).  I'd avoid password-based
logins with SSH and go public key only in your setup (unless the users
need to be able to use their credentials on the network).

> *       Mapped following directories in fstab file:
> 1.      C:/tools/cygwin /
> 2.      C:/projects /home (because the home folder of every user is: C:\projects\username)
> 3.      C:/tools/cygwin/bin /usr/bin
> 4.      C:/tools/cygwin/lib /usr/lib (I cannot remember why I mapped point 3 & 4)

None of this is really needed, but you could keep 2. (it's slightly
better to use /etc/fstab.d/username for that).

> * Created RSA keys for EVERY user on the user's machine and put it
> into his/her home folder on the server with ssh-copy-id
> ... (/home/u89x77/.ssh == C:\projects\u89x77\.ssh).  Everyone is now
> able to connect to his folder on the server without giving his/her
> windows password again (I had to do this because my tool to synch
> works with 'rsync')

So, disallow password-based logins.

> What I want now is, to restrict every user, who connects to the server
> via ssh, to its home folder /home/'username' == C:\projects\'username'
> For example: A user's username in our domain is u89x77. He's able to
> login normally via ssh but is also able to cd for example into
> C:\Windows or worse into C:\projects\'other username'\'absolute secret
> project'.

There is no way to restrict the user from exercising permissions that he
already has.  So you'd need to make sure that the DACL on the user
directories are set up so that nobody can peek into another users
directory.  Pls you must arrange it so that the user can not change the
DACL.  There is no chroot or similar on Windows.  You could perhapos try
if Windows containers or a VM provide enough isolation, but that may not
be a workable option on Server 2012 and eat too many resources depending
on the number of users.

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]