From unknown Fri Apr 17 00:43:24 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#1156: another workaround Reply-To: Jonathan Landis , 1156@bugs.x2go.org Resent-From: Jonathan Landis Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 05 May 2018 00:45:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 1156 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by 1156-submit@bugs.x2go.org id=B1156.152548083725617 (code B ref 1156); Sat, 05 May 2018 00:45:02 +0000 Received: (at 1156) by bugs.x2go.org; 5 May 2018 00:40:37 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 2088C5DAE9 for <1156@bugs.x2go.org>; Sat, 5 May 2018 02:40:06 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SArKPh6ceSxc for <1156@bugs.x2go.org>; Sat, 5 May 2018 02:39:51 +0200 (CEST) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 3CF9A5DA81 for <1156@bugs.x2go.org>; Sat, 5 May 2018 02:39:51 +0200 (CEST) Received: by mail-wm0-x22f.google.com with SMTP id l1-v6so7517136wmb.2 for <1156@bugs.x2go.org>; Fri, 04 May 2018 17:39:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=calibersecurity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=0MfCo8cH1KuWN1QWtkNDv08rs7mZaKlIwWTHoOq+ZG8=; b=OQS0A2rAoZGP0MnMF8yAabXvbnrx7ZM6vjmwacIgZ9DKD5pbLy8p0zTOjrTc9o26xU uslYtNGB/mDP15yAtGh0FQHgmt6CFPFvt3wPIiUOEzUsEH8M7zxyNyccciwfgPE9ll0w uEmAYXFViw78BfH1+8WLsvnJwrZXevSqcX4L4BdRkMcjWJuBLt5asBFP0Rc9tkPFtEuK SBbX9cWdaqXOf3lZd7Wz4u1w6GZTivYeRAj17iJ+xXr/6Eqd8iDhIM/0XImPZxp7oKz9 1Fva/jZkNit79ZkKOpAq+rrzBIoqtgzG0pig0OZwpwaE4hGyEfJpP6aANyncC99LZn/2 lMNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0MfCo8cH1KuWN1QWtkNDv08rs7mZaKlIwWTHoOq+ZG8=; b=N/aFB2OUiIevvUc5vLkYWbhBaGuuvHZi19F9/x/IEdvDJgN7nKCJHEk5DOtx10GDez aXFf4xuPMjqgDx9peIKXEogxPQtIrvEZUaQlMvL6vNolCIo0ZRRz7yK93m5F74mkexOh eWNOGK2J2/EKBhB4oWVJYTYG9QYLHgVJOH1SdFXrFuGjfryF+AWpZN3l6Y2/CfLZRu/8 O6pPf9MEsdBtXGzXJSoX+LGLJ0MUnH0ZHoEQqBXbS/G0nVGFvycQD+Rxbk2qIj1G3vWH 7DCQek3RWzS6MGKa8VNHn1OlGyWFJackVrv6n4avQwp5ZH4l3wPYTA+0X0ImIIQFe+pe t4Ig== X-Gm-Message-State: ALQs6tCRSzJbOCBupS/cHpnYcOG4u/5bf5cZsmSy/3BWVSA6nyv3ZUzq XlZxFmS2GKhYB8P4UcFV1vWNnH/AMGXO8bpCUUZqJTl3qco= X-Google-Smtp-Source: AB8JxZoSndirb4+QXjFaVrLv87NwFo2tD6/gxPcyGFdvSq3Aehc+2YemqjSpUhJy2OnL5dmj9lAePawkhuh2i8VehpA= X-Received: by 10.28.48.206 with SMTP id w197mr16816830wmw.22.1525480790497; Fri, 04 May 2018 17:39:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.104.84 with HTTP; Fri, 4 May 2018 17:39:49 -0700 (PDT) From: Jonathan Landis Date: Fri, 4 May 2018 17:39:49 -0700 Message-ID: To: 1156@bugs.x2go.org Content-Type: multipart/alternative; boundary="001a11422d82a14bdd056b6aac80" --001a11422d82a14bdd056b6aac80 Content-Type: text/plain; charset="UTF-8" You can fix the file permissions without Cygwin, but not with File Explorer. You need to use the industrial-strength subinacl.exe tool available for free from Microsoft. It's often the only option for permissions issues, so it is useful to have around. As noted earlier in the thread, the ssh_host_rsa_key file's primary group is the same as the user. So the group permissions are the user permissions, and there is no possible way to satisfy the permissions requirements, even if you delete all permissions entries except the one for the user. So what you have to do is set the primary group to something else, and make sure that it doesn't have access to the file. Like this: "c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /file ssh_host_rsa_key /setprimarygroup=Administrators That will set the primary group to the builtin Administrators group. Make sure that group doesn't have an access grant (which can be done in File Explorer if desired). --001a11422d82a14bdd056b6aac80 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
You can fix the file permissions without Cygwin, but not w= ith File Explorer. You need to use the industrial-strength subinacl.exe too= l available for free from Microsoft. It's often the only option for per= missions issues, so it is useful to have around.

As note= d earlier in the thread, the ssh_host_rsa_key=C2=A0file's primary group= is the same as the user. So the group permissions are the user permissions= , and there is no possible way to satisfy the permissions requirements, eve= n if you delete all permissions entries except the one for the user.
<= div>
So what you have to do is set the primary group to somet= hing else, and make sure that it doesn't have access to the file. Like = this:

"c:\Program Files (x86)\Windows Resourc= e Kits\Tools\subinacl.exe" /file ssh_host_rsa_key /setprimarygroup=3DA= dministrators

That will set the primary group = to the builtin Administrators group. Make sure that group doesn't have = an access grant (which can be done in File Explorer if desired).
--001a11422d82a14bdd056b6aac80--