Using Cygwin in Windows 8, chmod 600 does not work as expected?

I'm using Cygwin in the Win8CP, and I had the same issue. It's definitely a Cygwin bug, but there's a workaround: try running:

 chgrp -R Users ~/.ssh

The longer explanation is that, for some reason, Cygwin's /etc/passwd and /etc/group generation are putting the user's default/main group as None. And you cannot change the permission of None, so the chmod for group has no effect.

I didn't try repairing the passwd/group files myself, but I did do a chgrp -R Users ~/.ssh (or, if you are on the Windows 8 pre-release, with the group nameHomeUsers). After that, you can do the chmod 0600 and it'll work as expected.

The chgrp to the Users group can be done in whichever other similar cases you find. It even works as expected since Cygwin puts users in the Users group as a secondary group (instead of primary, which would be the correct behavior).


Starting from Cygwin 1.7.34 (2015-02-04) the method that changes the group to Users no longer works. Instead you need to use Cygwin's setfacl utility.

  • Say, if you want to set file mode to 644 (rw-r--r--) do this:

    setfacl -s u::rw-,g::r--,o:r-- foo.bar
    
  • or use a longer format:

    setfacl -s user::rw-,group::r--,other::r-- foo.bar
    
  • or copy its mode using getfacl from file foo to bar:

    getfacl foo | setfacl -f - bar
    

A complete manual is in the "setfacl" section of the Cygwin user guide. I wonder why Cygwin has not yet changed chmod utility likewise.


Here is a script that uses Luke Lee's suggestion but supports octal args like chmod. It provides a framework that can be extended. although it currently only supports octal args needed to fix permission on key.pem and/or ~/.ssh directory and files.

#!/bin/bash

# convert chmod octal permission args to equivalent setfacl args
ARGS=() ; FILES=()
while [ $# -gt 0 ]; do
  A=$1 ; shift
  case "$A" in
  600|0600) ARGS+=("u::rw-,g::---,o::---") ;;
  640|0640) ARGS+=("u::rw-,g::r--,o::---") ;;
  644|0644) ARGS+=("u::rw-,g::r--,o::r--") ;;
  700|0700) ARGS+=("u::rwx,g::---,o::---") ;;
  *) if [ -e "$A" ]; then FILES+=( "$A" ) ; else
    echo "unrecognized arg [$A]" 1>&2
    exit 1
  fi
  ;;
  esac
done
for F in "${FILES[@]}" ; do
  setfacl -s "${ARGS[@]}" "$F"
done

I used it like this to fix my .ssh directory and files:

chmodfacl 700 ~/.ssh
chmodfacl 600 ~/.ssh/*
chmodfacl 640 ~/.ssh/*.pub