Using Cygwin in Windows 8, chmod 600 does not work as expected?

I'm trying to change the permissions to my key file key.pem in Cygwin 1.7.11. It has the permissions flags: -rw-rw----

chmod -c 600 key.pem

Reports:

mode of 'key.pem' changed from 0660 (rw-rw----) to 0600 (rw-------)

However:

ls -l key.pem

still reports

key.pem's permission flags are still: -rw-rw----

This reason why I'm asking is that ssh is complaining:

Permissions 0660 for 'key.pem' are too open.

when I try to ssh into my Amazon EC2 instance. Is this an issue with Cygwin & Windows 8 NTFS or am I missing something?

Castaa

Posted 2012-03-05T22:27:13.483

Reputation: 960

This sounds like a Win8/Cygwin bug. I'd recommend reporting it on the Cygwin mailing list.

– me_and – 2012-03-06T10:30:26.530

It might be related to NTFS... Windows doesn't really use that Linux scheme. Maybe you can try going into the windows permission settings and only give yourself rights... – sinni800 – 2012-03-07T11:11:35.083

I think this is related to http://superuser.com/questions/363141/using-git-through-cygwin-on-windows-8

– Daniel Stiner – 2012-03-27T02:09:46.283

Answers

I'm using Cygwin in the Win8CP, and I had the same issue. It's definitely a Cygwin bug, but there's a workaround: try running:

 chgrp -R Users ~/.ssh

The longer explanation is that, for some reason, Cygwin's /etc/passwd and /etc/group generation are putting the user's default/main group as None. And you cannot change the permission of None, so the chmod for group has no effect.

I didn't try repairing the passwd/group files myself, but I did do a chgrp -R Users ~/.ssh (or, if you are on the Windows 8 pre-release, with the group nameHomeUsers). After that, you can do the chmod 0600 and it'll work as expected.

The chgrp to the Users group can be done in whichever other similar cases you find. It even works as expected since Cygwin puts users in the Users group as a secondary group (instead of primary, which would be the correct behavior).

Jessidhia

Posted 2012-03-05T22:27:13.483

Reputation: 2 602

Note that this also works for Mobaxterm. The group in Mobaxterm is called UsersGrp. Changing the group to Users allowed me to change file permissions and ssh worked. – Snap Shot – 2014-08-26T16:06:56.947

This also works for those who use MobaXterm – Will – 2014-11-29T14:15:14.647

3It doesn't work anymore. The new solution is @luke-lee 's one. – fjardon – 2015-02-24T06:55:32.393

@SnapShot MobaXterm has nothing to do with it, it's just a terminal emulator. It's like saying that you have registered yourself to the Facebook in Internet Explorer and than you found out, that you're registered to Facebook also in Chrome, Firefox and Opera. As a browser has nothing else to do with a website than displaying it, terminal emulator has nothing else to do with a shell than displaying it (and also sending user's input back to it). – Dawid Ferenczy Rogožan – 2015-09-20T03:49:58.920

12I needed

chgrp -Rv Users ~/.ssh/* chmod -vR 600 ~/.ssh/* – Tomáš Fejfar – 2013-01-27T12:41:50.303

@TomášFejfar comment above worked for me. Thanks. – scaraveos – 2013-04-11T07:49:26.207

@TomášFejfar that was very helpful, maybe it should find its way into install scripts or something – dashesy – 2013-06-01T18:11:30.420

Yes, that would be lovely, but I usually can contribute only to github-based projects. Elsewhere it's too much hustle ;) – Tomáš Fejfar – 2013-06-02T10:31:26.567

4Note if you have Windows installed in another language Users is not going to work. Use cat /etc/group to check with what you should replace Users. In Dutch for example you would have to replace Users with Gebruikers. – thijsai – 2014-01-09T16:58:57.763

Starting from Cygwin 1.7.34 (2015-02-04) the method that changes the group to Users no longer works. Instead you need to use Cygwin's setfacl utility.

Say, if you want to set file mode to 644 (rw-r--r--) do this:
```
setfacl -s u::rw-,g::r--,o:r-- foo.bar
```

or use a longer format:

setfacl -s user::rw-,group::r--,other::r-- foo.bar

or copy its mode using getfacl from file foo to bar:
```
getfacl foo | setfacl -f - bar
```

A complete manual is in the "setfacl" section of the Cygwin user guide. I wonder why Cygwin has not yet changed chmod utility likewise.

Luke Lee

Posted 2012-03-05T22:27:13.483

Reputation: 379

1solutions with group change to Users didn't work for me but only setfacl based one! – dim – 2015-03-02T14:53:41.333

2Luke, I think you missed a colon in your first code-block after the 'o'. – SeldomNeedy – 2017-09-15T17:45:40.040

@SeldomNeedy Argh! You are right, corrected accordingly. Thanks! – Luke Lee – 2017-09-18T01:02:47.033

1@SeldomNeedy After some more checks I found both syntax works, but the original one (with one colon) is more accurate. The 2nd colon for 'u' and 'g' is for specifying UID and GID. For 'o' there is no such specifier so only one colon is needed. – Luke Lee – 2017-09-18T01:15:22.617

Here is a script that uses Luke Lee's suggestion but supports octal args like chmod. It provides a framework that can be extended. although it currently only supports octal args needed to fix permission on key.pem and/or ~/.ssh directory and files.

#!/bin/bash

# convert chmod octal permission args to equivalent setfacl args
ARGS=() ; FILES=()
while [ $# -gt 0 ]; do
  A=$1 ; shift
  case "$A" in
  600|0600) ARGS+=("u::rw-,g::---,o::---") ;;
  640|0640) ARGS+=("u::rw-,g::r--,o::---") ;;
  644|0644) ARGS+=("u::rw-,g::r--,o::r--") ;;
  700|0700) ARGS+=("u::rwx,g::---,o::---") ;;
  *) if [ -e "$A" ]; then FILES+=( "$A" ) ; else
    echo "unrecognized arg [$A]" 1>&2
    exit 1
  fi
  ;;
  esac
done
for F in "${FILES[@]}" ; do
  setfacl -s "${ARGS[@]}" "$F"
done

I used it like this to fix my .ssh directory and files:

chmodfacl 700 ~/.ssh
chmodfacl 600 ~/.ssh/*
chmodfacl 640 ~/.ssh/*.pub

philwalk

Posted 2012-03-05T22:27:13.483

Reputation: 374

Just got hit by this one in a cygwin update. Thanks for the script. setfacl on its own is horrible. – Andy Brown – 2015-02-14T16:32:39.390

Where do I put the script? – Sisir – 2016-08-14T10:31:36.237

the script can go anywhere in your cygwin path. You might create a $HOME/bin directory and put it there, although you'll then need to add it to your path, e.g., in $HOME/.bashrc. – philwalk – 2018-02-04T00:13:11.837

chgrp -R Users ~/.ssh

chmod 0600 ~/.ssh/config

chmod 0700 ~/.ssh

xtrimsky

Posted 2012-03-05T22:27:13.483

Reputation: 463

These are the exact steps I needed, +1. – camomileCase – 2014-09-13T22:02:51.610

If you have git bash installed run the same command (chmod -c 600 key.pem) with git bash and avoid Cygwin.

TheodorosPloumis

Posted 2012-03-05T22:27:13.483

Reputation: 111

This issue can be resolved by running the ssh-keygen command from the cygwin terminal.(Not the normal windows Command prompt). I have done this in my windows8 machine.

Ravindra Jain

Posted 2012-03-05T22:27:13.483

Reputation: 21

4Can you please elaborate further? How can this fix the problem? What steps should the user take other than "run ssh-keygen from Cygwin"? – DanteTheEgregore – 2014-08-08T15:17:29.970

This just generates a key, but the OP has a key with bad permissions – Jonathan – 2016-02-05T16:55:41.390

Same experience here: chmod / ssh-keygen puts good permission under cygwin, but doesn't do it if I execute them from the windows cmd. (I don't know why though :-) ) – autra – 2018-03-22T08:36:09.627

-2

Run the Cygwin installer and update. The bug should be fixed.

Duncan Calvert

Posted 2012-03-05T22:27:13.483

Reputation: 1

Your post needs to be expanded. A good answer includes specific instructions (not just links to them) and an explanation as to how or why the answer addresses the OPs question. Please edit your post to adequately address both of these elements.

– I say Reinstate Monica – 2015-06-15T18:12:34.793