* [ANNOUNCEMENT] Updated: csih-0.1.3-1
@ 2008-04-03 0:03 Charles Wilson
2008-04-03 4:52 ` Charles Wilson
0 siblings, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-03 0:03 UTC (permalink / raw)
To: cygwin
csih (cygwin-service-installation-helper) provides a library of shell
functions that can be used by other cygwin packages that provide servers
and daemons. It can assist in various service installation tasks, such as:
* identifying the underlying Windows OS
* detecting whether a "privileged user" exists and what its name is
(that is, a user account with enhanced privileges necessary for
some services. These may include, among others:
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyRemoteInteractiveLogonRight
SeIncreaseQuotaPrivilege
SeServiceLogonRight
* creating a privileged user if one doesn't already exist (assuming the
caller has permissions to create new users, of course)
* creating "normal" users
* obtaining the (localized) name of well known accounts (Guest,
Administrator)
It is currently used by inetutils(iu-config, syslogd-config),
sspi(sspi-config), sysvinit(init-config). csih should not be used
directly; instead, config scripts like the ones mentioned above should
'source' the csih script, and then use the functions provided.
Changes (since unreleased 0.1.1-1)
======================
* added utility: 'winProductName' which obtains the exact
operating system name (with finer granularity than `uname')
Currently used only to distinguish between vista and server2008.
* New system id function: csih_is_exactly_vista(),
csih_is_exactly_server2008
* Protection against evaluating $0 when invoked by login shell
Changes (since unreleased 0.1-1)
======================
* added utility: 'getAccountName' which obtains the (localized) name
of well known accounts
* New system id function: csih_is_2k(), csih_is_xp(), csih_is_vista()
* New function: csih_invoke_helper
invokes utilities in /usr/lib/csih/
* New function: csih_get_localized_account_name
Given an WELL_KNOWN_SID_TYPE enumeration value, uses getAccountName
utility to obtain the localized name associated with the account
* New function: csih_get_guest_account_name
Shortcut using csih_get_localized_account_name for Guest account
* New function: csih_guest_account_active
returns true if Guest account is active, false otherwise
* -src package reorganization
--
Chuck
====================================================================
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com
If you need more information on unsubscribing, start reading here:
http://sources.redhat.com/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at this URL.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-03 0:03 [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
@ 2008-04-03 4:52 ` Charles Wilson
2008-04-03 8:55 ` Corinna Vinschen
0 siblings, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-03 4:52 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2280 bytes --]
Attached is an updated implementation of ssh-host-config that uses csih.
It seems to work pretty well for the various tests I've put it through,
although it REQUIRES csih-0.1.3.
(However, the -w/--pwd option doesn't operate correctly, unless you have
patched csih. This problem isn't awful: it's just as if the -w option
were ignored, and you get asked for the password instead)
If you are on WinServer2003/2008 or Vista, this should use/create a
privileged user. If you already have one (sshd_server, cron_server, or
cyg_server), then it will use that. If you don't already have one, then
it will create 'cyg_server' -- or ask you for a name.
If you are on an older windows (but still NT or better), it will use
LocalSystem, unless you invoke ssh-host-config with the '--privileged'
option -- in which case behavior is like Vista & friends, above.
IF you have installed the [test] inetutils-1.5 packages (with support
for xinetd-style /etc/inetd.d/* fragments), then this ssh-host-config
will NOT add a [commented-out] ssh entry to /etc/inetd.config; instead
it will use the attached /etc/default file and create
/etc/inetd.d/sshd-inetd. (Assuming you save the attached file as
/etc/defaults/etc/inetd.d/sshd-inetd)
If you're still using the [current] inetutils-1.3.2-* packages, then
ssh-host-config behavior is as before: it will munge the /etc/inetd.conf
file.
Side note: interactions with inetd and init
IF
a) you use inetd (or xinetd) to invoke sshd, instead of installing
sshd as a service
b) you are on 2003/2008/Vista where sshd MUST be run from a
privileged user, (or you are on NT/2k/XP, but you want to 'play' with
--privileged)
Then inetd/xinetd must be run from that privileged user account (because
slave daemons inherit inetd's user -- or inetd's user must be privileged
anyway in order to switch user context to the desired/specified user.)
Furthermore, if the above is all true AND you launch inetd or xinetd
itself from sysvinit's init process, then /init/ must be run from a
[the?] privileged account as well. Unfortunately, init-config does not
support this behavior out of the box, so you have to manually install
the init service (and don't forget to chown /etc/inittab, /etc/rc, and
/var/log/init.log)
--
Chuck
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 17475 bytes --]
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# ======================================================================
# Initialization
# ======================================================================
PROGNAME=$(basename $0)
_tdir=$(dirname $0)
PROGDIR=$(cd $_tdir && pwd)
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
source ${CSIH_SCRIPT}
port_number=22
privsep_configured=no
privsep_used=yes
cygwin_value="ntsec"
password_value=
# ======================================================================
# Routine: create_host_keys
# ======================================================================
create_host_keys() {
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
} # --- End of create_host_keys --- #
# ======================================================================
# Routine: update_services_file
# ======================================================================
update_services_file() {
local _my_etcdir="/ssh-host-config.$$"
local _win_etcdir
local _services
local _spaces
local _serv_tmp
local _wservices
if csih_is_nt
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
csih_inform "Removing sshd from ${_wservices}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to ${_wservices}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
} # --- End of update_services_file --- #
# ======================================================================
# Routine: sshd_privsep
# MODIFIES: privsep_configured privsep_used
# ======================================================================
sshd_privsep() {
local sshdconfig_tmp
if [ "${privsep_configured}" != "yes" ]
then
if csih_is_nt
then
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
csih_inform "However, this requires a non-privileged account called 'sshd'."
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
if csih_request "Should privilege separation be used?"
then
privsep_used=yes
if ! csih_create_unprivileged_user sshd
then
csih_warning "Couldn't create user 'sshd'!"
csih_warning "Privilege separation set to 'no' again!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/sshd_config \
> "${sshdconfig_tmp}"
mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
} # --- End of sshd_privsep --- #
# ======================================================================
# Routine: update_inetd_conf
# ======================================================================
update_inetd_conf() {
local _inetcnf="${SYSCONFDIR}/inetd.conf"
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
local _with_comment=1
if [ -d "${_inetcnf_dir}" ]
then
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed ssh[d] from ${_inetcnf}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
fi
fi
fi
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
then
if [ "${_with_comment}" -eq 0 ]
then
sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
else
sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
fi
mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
csih_inform "Updated ${_sshd_inetd_conf}"
fi
elif [ -f "${_inetcnf}" ]
then
grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed sshd from ${_inetcnf}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${_with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
csih_inform "Added ssh to ${_inetcnf}"
fi
fi
} # --- End of update_inetd_conf --- #
# ======================================================================
# Routine: install_service
# Install sshd as a service
# ======================================================================
install_service() {
local run_service_as
local password
if csih_is_nt
then
if ! cygrunsrv -Q sshd >/dev/null 2>&1
then
echo
echo
csih_warning "The following functions require administrator privileges!"
echo
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
if csih_request "(Say \"no\" if it is already installed as a service)"
then
csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
csih_inform "for sshd to be able to change user context without password."
csih_get_cygenv "${cygwin_value}"
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
then
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
csih_inform "sshd requires. You need to have or to create a privileged"
csih_inform "account. This script will help you do so."
echo
if ! csih_create_privileged_user "${password_value}"
then
csih_error_recoverable "There was a serious problem creating a privileged user."
csih_request "Do you want to proceed anyway?" || exit 1
fi
fi
# never returns empty if NT or above
run_service_as=$(csih_service_should_run_as)
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
if [ -z "${password}" ]
then
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
password="${csih_value}"
fi
fi
# at this point, we either have $run_service_as = "system" and $password is empty,
# or $run_service_as is some privileged user and (hopefully) $password contains
# the correct password. So, from here out, we use '-z "${password}"' to discriminate
# the two cases.
csih_check_user "${run_service_as}"
if [ -z "${password}" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
-e CYGWIN="${csih_cygenv}"
then
echo
csih_inform "The sshd service has been installed under the LocalSystem"
csih_inform "account (also known as SYSTEM). To start the service now, call"
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
csih_inform "will start automatically after the next reboot."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
-e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
then
echo
csih_inform "The sshd service has been installed under the '${run_service_as}'"
csih_inform "account. To start the service now, call \`net start sshd' or"
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
csih_inform "after the next reboot."
fi
fi
# now, if successfully installed, set ownership of the affected files
if cygrunsrv -Q sshd >/dev/null 2>&1
then
chown "${run_service_as}" ${SYSCONFDIR}/ssh*
chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
else
csih_warning "Something went wrong installing the sshd service."
fi
fi # user allowed us to install as service
fi # service not yet installed
fi # csih_is_nt
} # --- End of install_service --- #
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
;;
-n | --no )
csih_auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=yes
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
echo " --privileged On Windows NT/2k/XP, require privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
csih_error "There are still ssh processes running. Please shut them down first."
fi
# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
chmod 775 "${SYSCONFDIR}"
setfacl -m u:system:rwx "${SYSCONFDIR}"
# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
chmod 775 "${LOCALSTATEDIR}/log"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
"Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 644 ${LOCALSTATEDIR}/log/lastlog
fi
# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
chmod 755 "${LOCALSTATEDIR}/empty"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
# host keys
create_host_keys
# use 'cmp' program to determine if a config file is identical
# to the default version of that config file
csih_check_program_or_error cmp diffutils
# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
if [ "${port_number}" != "22" ]
then
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# handle sshd_config (and privsep)
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
sshd_privsep
update_services_file
update_inetd_conf
install_service
echo
csih_inform "Host configuration finished. Have fun!"
[-- Attachment #3: csih-changes-for-sshd --]
[-- Type: text/plain, Size: 1434 bytes --]
--- old/cygwin-service-installation-helper.sh 2008-03-16 18:17:28.787375000 -0400
+++ new/cygwin-service-installation-helper.sh 2008-04-03 00:28:05.609375000 -0400
@@ -103,7 +103,7 @@
# ======================================================================
csih_progname=$0
csih_progname_base=$(basename -- $csih_progname)
-csih_VERSION=0.1.2
+csih_VERSION=0.1.3
readonly csih_progname csih_progname_base csih_VERSION
csih_auto_answer=""
@@ -1553,7 +1553,8 @@
# On Windows Server 2003 and above (including Windows Vista), or if
# csih_FORCE_PRIVILEGED_USER == "yes" for Windows NT and above,
# allows user to select a pre-existing privileged user, or to
-# create a new privileged user. Ignores all arguments.
+# create a new privileged user.
+# $1 (optional) will be used as the password if non-empty
#
# Exits on catastrophic error (or if user enters empty password)
# Returns 0 on total success
@@ -1583,7 +1584,7 @@
local admingroup
local dos_var_empty
local _password
- local password_value
+ local password_value="$1"
local passwd_has_expiry_flags
local ret=0
local username_in_admingroup
@@ -1668,6 +1669,8 @@
fi # user allowed us to create account
else # ${username} did not already exist
username_in_sam=yes
+ # use passed-in value as first guess
+ csih_PRIVILEGED_PASSWORD="${password_value}"
fi
if [ "$username_in_sam" = "yes" ]
[-- Attachment #4: etc_defaults_etc_inetd.d_sshd-inetd --]
[-- Type: text/plain, Size: 193 bytes --]
# This file can be used to enable sshd as a slave of the inetd service
# To do so, the line below should be uncommented.
@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i
[-- Attachment #5: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-03 4:52 ` Charles Wilson
@ 2008-04-03 8:55 ` Corinna Vinschen
2008-04-07 15:30 ` Corinna Vinschen
0 siblings, 1 reply; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-03 8:55 UTC (permalink / raw)
To: cygwin
On Apr 2 23:46, Charles Wilson wrote:
> Attached is an updated implementation of ssh-host-config that uses csih. It
> seems to work pretty well for the various tests I've put it through,
> although it REQUIRES csih-0.1.3.
Wow, thanks for doing my job. I still have this on my TODO list :}
It would be cool if list folks could give it a try. I will test it
as well, perhaps over the weekend.
> If you are on WinServer2003/2008 or Vista, this should use/create a
> privileged user. If you already have one (sshd_server, cron_server, or
> cyg_server), then it will use that. If you don't already have one, then it
> will create 'cyg_server' -- or ask you for a name.
Just a side note for the records: Windows Server 2003 also includes
Windows XP x64. It's the same OS version 5.2, in contrast to XP x86,
which is OS version 5.1.
Thanks again,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-03 8:55 ` Corinna Vinschen
@ 2008-04-07 15:30 ` Corinna Vinschen
2008-04-08 1:20 ` Charles Wilson
2008-04-08 6:22 ` Charles Wilson
0 siblings, 2 replies; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-07 15:30 UTC (permalink / raw)
To: cygwin
On Apr 3 10:55, Corinna Vinschen wrote:
> On Apr 2 23:46, Charles Wilson wrote:
> > Attached is an updated implementation of ssh-host-config that uses csih. It
> > seems to work pretty well for the various tests I've put it through,
> > although it REQUIRES csih-0.1.3.
>
> Wow, thanks for doing my job. I still have this on my TODO list :}
> It would be cool if list folks could give it a try. I will test it
> as well, perhaps over the weekend.
Looks good to me. I will upload a new OpenSSH release in the next
couple of days, but I guess I'll wait until you uploaded a new csih
release.
Btw., I have a tiny patch to fix two typos in the file
cygwin-service-installation-helper.sh. Maybe you could apply them as
well?
Thanks,
Corinna
--- cygwin-service-installation-helper.sh.ORIG 2008-04-07 17:07:20.212750000 +0200
+++ cygwin-service-installation-helper.sh 2008-04-07 17:11:48.056500000 +0200
@@ -1514,7 +1514,7 @@ _csih_setup()
if ! csih_check_dir_perms "${LOCALSTATEDIR}" d..x..x..x
then
- csih_error "Proglem with ${LOCALSTATEDIR} directory. Exiting."
+ csih_error "Problem with ${LOCALSTATEDIR} directory. Exiting."
fi
csih_make_dir "${LOCALSTATEDIR}/run"
@@ -1648,7 +1648,7 @@ csih_create_privileged_user()
csih_inform "the '${username}' account."
echo ""
csih_inform "Also keep in mind that the user '${username}' needs read permissions"
- csih_inform "for on all users' relevant files for the services running as '${username}'."
+ csih_inform "on all users' relevant files for the services running as '${username}'."
csih_inform "In particular, for the sshd server all users' .ssh/authorized_keys files"
csih_inform "must have appropriate permissions to allow public key authentication."
csih_inform "(Re-)running ssh-user-config for each user will set these permissions"
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-07 15:30 ` Corinna Vinschen
@ 2008-04-08 1:20 ` Charles Wilson
2008-04-08 2:26 ` Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1] Charles Wilson
2008-04-08 5:32 ` [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
2008-04-08 6:22 ` Charles Wilson
1 sibling, 2 replies; 18+ messages in thread
From: Charles Wilson @ 2008-04-08 1:20 UTC (permalink / raw)
To: cygwin
Corinna Vinschen wrote:
> On Apr 3 10:55, Corinna Vinschen wrote:
>> On Apr 2 23:46, Charles Wilson wrote:
>>> Attached is an updated implementation of ssh-host-config that uses csih. It
>>> seems to work pretty well for the various tests I've put it through,
>>> although it REQUIRES csih-0.1.3.
>> Wow, thanks for doing my job. I still have this on my TODO list :}
>> It would be cool if list folks could give it a try. I will test it
>> as well, perhaps over the weekend.
>
> Looks good to me. I will upload a new OpenSSH release in the next
> couple of days, but I guess I'll wait until you uploaded a new csih
> release.
Don't forget that ssh-user-config should probably be updated to use csih
also. Otherwise, it will assume that the privileged user is sshd_server,
when it might be that, or cyg_server or cron_server.
Instead, it should do:
if csih_is_nt
then
_user=$(csih_service_should_run_as)
if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" \
"${pwdhome}/.ssh"
then
csih_error_multiline \
"${pwdhome}/.ssh couldn't be given the correct permissions," \
"assuming that the sshd server is running under the `${_user}'" \
"account. Please try to solve this problem first."
fi
fi
Unfortunately, right now csih_service_should_run_as only works if
csih_select_privileged_username has been called -- but that function is
very wordy, and blathers on about 'creating' the privileged user.
(csih_select_privileged_username, while public, is normally called by
csih_create_privileged_user).
I need to create an internal csih helper function that can be called by
csih_service_should_run_as if csih_PRIVILEGED_USERNAME is not already
set, which will quietly do *some* of the stuff in
csih_select_privileged_username in order to initialize
csih_PRIVILEGED_USERNAME.
> Btw., I have a tiny patch to fix two typos in the file
> cygwin-service-installation-helper.sh. Maybe you could apply them as
> well?
Sure, and thanks.
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1]
2008-04-08 1:20 ` Charles Wilson
@ 2008-04-08 2:26 ` Charles Wilson
2008-04-08 8:12 ` Corinna Vinschen
2008-04-08 5:32 ` [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
1 sibling, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-08 2:26 UTC (permalink / raw)
To: cygwin
I'm trying to be explicit about licensing in csih for the next release.
I realize it's a little silly to use the GPL on a script (binary ==
source, right?), but it may be necessary because part of it is derived
from cygport, which is GPLv3.
csih (the script part) has been derived from a number of sources:
# ssh-host-config Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
# part of the Cygwin port of OpenSSH
(no explicit licensing)
# cygport Copyright (C) 2006, 2007 Yaakov Selkowitz
# GPL v3
(mostly the messaging functions: csih_inform, csih_error, etc)
# exim-config Copyright Pierre A. Humblet, 2003-2007.
# cron-config Copyright Pierre A. Humblet, 2003-2007.
(no explicit licensing)
For the csih.sh function library, I'd like to use one of the following
two licenses:
(1) MIT/X
or
(2) GPLv3 with an exception clause modeled after the javascript example
from http://www.gnu.org/licenses/gpl-faq.html#WMS. See below.
In both cases, I need permission from the maintainers of the four
packages above. With respect to csih.sh, I'd prefer MIT/X because (a)
source == binary, so forcing "make sure the source is available" seems a
bit silly, and (b) just less hassle all around.
In either case, the intent is so that the various foo-config scripts
don't have to be as concerned about their own license terms, as long as
they are just using csih. Of course, if you copy the code for
csih_foo() so that you can make a modified version of that function,
then the full terms -- GPLv3 "viralness and all" if option #2, or no
real impact if option #1 -- apply.
========= snip (option #2) ==========
This file, cygwin-service-installation-helper.sh, is part of csih. csih
has several components which are distributed under various licenses.
cygwin-service-installation-helper.sh is free software: you can
redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either
version 3 of the License, or (at your option) any later version.
cygwin-service-installation-helper.sh is distributed in the hope that it
will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with csih. If not, see <http://www.gnu.org/licenses/>.
As a special exception to GPL, any shell script or executable that
merely makes function calls to this code, and for that purpose includes
it by reference shall be deemed a separate work for copyright law
purposes. In addition, the copyright holders of this code give you
permission to combine this code with free software libraries that are
released under the GNU LGPL. You may copy and distribute such a system
following the terms of the GNU GPL for this code and the LGPL for the
libraries. If you modify this code, you may extend this exception to
your version of the code, but you are not obligated to do so. If you do
not wish to do so, delete this exception statement from your version.
========= snap ==========
Can I get a yes or no from the three maintainers of all four of the
packages listed below, on the following questions:
openssh
cygport
exim, cron
Can I use the MIT/X license for the portions of
cygwin-service-installation-helper.sh that were derived from the config
script(s) under your control?
Can I use the GPLv3-with-exception license above for the portions of
cygwin-service-installation-helper.sh that were derived from the config
script(s) under your control?
If both, which do you prefer?
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-08 1:20 ` Charles Wilson
2008-04-08 2:26 ` Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1] Charles Wilson
@ 2008-04-08 5:32 ` Charles Wilson
2008-04-08 8:13 ` Corinna Vinschen
1 sibling, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-08 5:32 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 263 bytes --]
Well, I'm waiting for answers to the questions here:
http://cygwin.com/ml/cygwin/2008-04/msg00211.html
from Corinna and Yaakov, but in the meantime:
Here's a version of ssh-user-config that works with CVS csih (what will
become 0.1.4 very soon).
--
Chuck
[-- Attachment #2: ssh-user-config --]
[-- Type: text/plain, Size: 10882 bytes --]
#!/bin/bash
#
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# ======================================================================
# Initialization
# ======================================================================
PROGNAME=$(basename -- $0)
_tdir=$(dirname -- $0)
PROGDIR=$(cd $_tdir && pwd)
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
source ${CSIH_SCRIPT}
auto_passphrase="no"
passphrase=""
pwdhome=
with_passphrase=
sshd_user=
# ======================================================================
# Routine: create_ssh1_identity
# optionally create ~/.ssh/identity[.pub]
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
create_ssh1_identity() {
if [ ! -f "${pwdhome}/.ssh/identity" ]
then
if csih_request "Shall I create an SSH1 RSA identity file for you?"
then
csih_inform "Generating ${pwdhome}/.ssh/identity"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
else
ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh1_identity() === #
readonly -f create_ssh1_identity
# ======================================================================
# Routine: create_ssh2_rsa_identity
# optionally create ~/.ssh/id_rsa[.pub]
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
create_ssh2_rsa_identity() {
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
then
if csih_request "Shall I create an SSH2 RSA identity file for you?"
then
csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
else
ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh2_rsa_identity() === #
readonly -f create_ssh2_rsa_identity
# ======================================================================
# Routine: create_ssh2_dsa_identity
# optionally create ~/.ssh/id_dsa[.pub]
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
create_ssh2_dsa_identity() {
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
then
if csih_request "Shall I create an SSH2 DSA identity file for you?"
then
csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
else
ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh2_dsa_identity() === #
readonly -f create_ssh2_dsa_identity
# ======================================================================
# Routine: check_user_homedir
# Perform various checks on the user's home directory
# SETS GLOBAL VARIABLE:
# pwdhome
# ======================================================================
check_user_homedir() {
local uid=$(id -u)
pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
if [ "X${pwdhome}" = "X" ]
then
csih_error_multiline \
"There is no home directory set for you in ${SYSCONFDIR}/passwd." \
'Setting $HOME is not sufficient!'
fi
if [ ! -d "${pwdhome}" ]
then
csih_error_multiline \
"${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
'but it is not a valid directory. Cannot create user identity files.'
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
if csih_request "Would you like to proceed anyway?"
then
pwdhome=''
else
csih_warning "Exiting. Configuration is not complete"
exit 1
fi
fi
if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
csih_warning 'group and other have been revoked write permission to your home'
csih_warning "directory ${pwdhome}."
csih_warning 'This is required by OpenSSH to allow public key authentication using'
csih_warning 'the key files stored in your .ssh subdirectory.'
csih_warning 'Revert this change ONLY if you know what you are doing!'
echo
fi
} # === End of check_user_homedir() === #
readonly -f check_user_homedir
# ======================================================================
# Routine: check_user_dot_ssh_dir
# Perform various checks on the ~/.ssh directory
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
check_user_dot_ssh_dir() {
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
csih_error "Creating users ${pwdhome}/.ssh directory failed"
fi
fi
} # === End of check_user_dot_ssh_dir() === #
readonly -f check_user_dot_ssh_dir
# ======================================================================
# Routine: compute_sshd_user
# Computes the account under which the sshd server should run
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
compute_sshd_user() {
if csih_is_nt
then
csih_select_privileged_username -q sshd
sshd_user=$(csih_service_should_run_as)
if ! setfacl -m "u::rwx,u:${sshd_user}:r--,g::---,o::---" \
"${pwdhome}/.ssh"
then
csih_error_multiline \
"${pwdhome}/.ssh couldn't be given the correct permissions," \
"assuming that the sshd server is running under the '${sshd_user}'" \
"account. Please try to solve this problem first."
fi
fi
} # === End of compute_sshd_user() === #
readonly -f compute_sshd_user
# ======================================================================
# Routine: fix_authorized_keys_perms
# Corrects the permissions of ~/.ssh/authorized_keys
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# sshd_user -- compute_sshd_user()
# ======================================================================
fix_authorized_keys_perms() {
if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,u:${sshd_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
then
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
csih_warning "is, the owner and ${sshd_user} both need read permissions."
echo
fi
fi
} # === End of fix_authorized_keys_perms() === #
readonly -f fix_authorized_keys_perms
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
fi
if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
;;
-n | --no )
csih_auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=yes
;;
*)
echo "usage: ${PROGNAME} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo " --privileged On Windows NT/2k/XP, assume privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
# Check passwd file
if [ ! -f ${SYSCONFDIR}/passwd ]
then
csih_error_multiline \
"${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
'first using mkpasswd. Check if it contains an entry for you and' \
'please care for the home directory in your entry as well.'
fi
check_user_homedir
check_user_dot_ssh_dir
compute_sshd_user
create_ssh1_identity
create_ssh2_rsa_identity
create_ssh2_dsa_identity
fix_authorized_keys_perms
echo
csih_inform "Configuration finished. Have fun!"
[-- Attachment #3: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-07 15:30 ` Corinna Vinschen
2008-04-08 1:20 ` Charles Wilson
@ 2008-04-08 6:22 ` Charles Wilson
2008-04-08 8:13 ` Corinna Vinschen
1 sibling, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-08 6:22 UTC (permalink / raw)
To: cygwin
Corinna Vinschen wrote:
> Looks good to me. I will upload a new OpenSSH release in the next
> couple of days, but I guess I'll wait until you uploaded a new csih
> release.
A couple of reminders:
(1) add csih to requires:
(2) the implementation of ssh-host-config I posted adds a dependency on
diffutils, which is not a 'base' package, so that's another requires:
(3) don't forget the /etc/defaults/etc/inetd.d/sshd-inetd file from here:
http://cygwin.com/ml/cygwin/2008-04/msg00079.html
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1]
2008-04-08 2:26 ` Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1] Charles Wilson
@ 2008-04-08 8:12 ` Corinna Vinschen
0 siblings, 0 replies; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-08 8:12 UTC (permalink / raw)
To: cygwin
On Apr 7 21:18, Charles Wilson wrote:
> I'm trying to be explicit about licensing in csih for the next release. I
> realize it's a little silly to use the GPL on a script (binary == source,
> right?), but it may be necessary because part of it is derived from
> cygport, which is GPLv3.
>
> csih (the script part) has been derived from a number of sources:
>
> # ssh-host-config Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
> # part of the Cygwin port of OpenSSH
> (no explicit licensing)
It's implicitely BSD licensed due to it's nature to be part of the
OpenSSH source tree. I will stick to this notion for the
ssh-host-config and ssh-user-config script.
> # cygport Copyright (C) 2006, 2007 Yaakov Selkowitz
> # GPL v3
> (mostly the messaging functions: csih_inform, csih_error, etc)
>
> # exim-config Copyright Pierre A. Humblet, 2003-2007.
> # cron-config Copyright Pierre A. Humblet, 2003-2007.
> (no explicit licensing)
>[...]
> Can I use the MIT/X license for the portions of
> cygwin-service-installation-helper.sh that were derived from the config
> script(s) under your control?
The MIT license is fine with me.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-08 5:32 ` [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
@ 2008-04-08 8:13 ` Corinna Vinschen
2008-04-09 12:14 ` Corinna Vinschen
0 siblings, 1 reply; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-08 8:13 UTC (permalink / raw)
To: cygwin
On Apr 8 01:21, Charles Wilson wrote:
> Well, I'm waiting for answers to the questions here:
> http://cygwin.com/ml/cygwin/2008-04/msg00211.html
> from Corinna and Yaakov, but in the meantime:
>
> Here's a version of ssh-user-config that works with CVS csih (what will
> become 0.1.4 very soon).
Cool, thanks!
I'll have a look,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-08 6:22 ` Charles Wilson
@ 2008-04-08 8:13 ` Corinna Vinschen
0 siblings, 0 replies; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-08 8:13 UTC (permalink / raw)
To: cygwin
On Apr 8 01:30, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Looks good to me. I will upload a new OpenSSH release in the next
>> couple of days, but I guess I'll wait until you uploaded a new csih
>> release.
>
> A couple of reminders:
> (1) add csih to requires:
>
> (2) the implementation of ssh-host-config I posted adds a dependency on
> diffutils, which is not a 'base' package, so that's another requires:
>
> (3) don't forget the /etc/defaults/etc/inetd.d/sshd-inetd file from here:
> http://cygwin.com/ml/cygwin/2008-04/msg00079.html
Yes, yes and yes.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-08 8:13 ` Corinna Vinschen
@ 2008-04-09 12:14 ` Corinna Vinschen
0 siblings, 0 replies; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-09 12:14 UTC (permalink / raw)
To: cygwin
On Apr 8 10:12, Corinna Vinschen wrote:
> On Apr 8 01:21, Charles Wilson wrote:
> > Well, I'm waiting for answers to the questions here:
> > http://cygwin.com/ml/cygwin/2008-04/msg00211.html
> > from Corinna and Yaakov, but in the meantime:
> >
> > Here's a version of ssh-user-config that works with CVS csih (what will
> > become 0.1.4 very soon).
>
> Cool, thanks!
>
> I'll have a look,
> Corinna
Looks ok, but I have a few questions/comments.
- When the script starts, the following text appears:
*** Info: You appear to be running Windows 2003 Server or later. On 2003 and
*** Info: later systems, it's not possible to use the LocalSystem account
*** Info: for services that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create a new
*** Info: account with special privileges (unless a similar account already exists).
*** Info: This account is then used to run these special servers.
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.
*** Info: The following privileged accounts were found: 'cyg_server' .
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will not be able to log on interactively, but will only
*** Info: be used by registered services.
*** Query: Do you want to use different name? (yes/no) no
The query "Do you want to use different name?" is a bit upside down,
IMHO. The query should be rather phrased positively "Do you want to use
t name?"
However, I think the whole message is too noisy and confusing for
non-admins. The default user doesn't actually know which user name the
sshd service is running under. Additionally, given that Cygwin opens
files always with BACKUP_INTENT for a while anyway, and given that the
service account is a member of the administrators group, which has
backup user rights, there's not much reason anymore to add the service
account to the ACL. I fear that's just old cruft in the ssh-user-script.
But, here's a question: Shouldn't the csih_privileged_accounts() function
check the service itself, rather than testing possible names with `net
user'? It would be as simple as giving csih_privileged_accounts the
service name as $1 argument, and then extract the user name with something
along the lines of
svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
svc_user="${svc_user/\.\\/$COMPUTERNAME}"
svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-09 16:20 ` Corinna Vinschen
2008-04-09 16:38 ` Mark J. Reed
@ 2008-04-10 7:49 ` Charles Wilson
1 sibling, 0 replies; 18+ messages in thread
From: Charles Wilson @ 2008-04-10 7:49 UTC (permalink / raw)
To: cygwin
Corinna Vinschen wrote:
> On Apr 9 10:55, Charles Wilson wrote:
>> Hopefully, that's more acceptable for ssh-user-config?
>
> My bad, I didn't update csih to CVS. I still think that's too much for
> ssh-user-config. But since we don't need the setfacl anymore, that's
> a moot point now.
It may be a moot point for ssh-user-config, but it could be a useful
behavior for some other -user-config (maybe cron user customizations?).
So, I've gone ahead and made the behavior silent if the
associated/specified server is already installed. See below.
> And that was really very nice. I'm not trying to critizise the general
> approach. I just think we (that is: I) should get rid of the entire
> message and the setfacl in ssh-user-config.
Well, that will certainly simplify things. However, operating on the old
assumption, the new (not even in CVS yet) version of csih lets you do this:
compute_sshd_user() {
if csih_is_nt
then
if ! cygrunsrv -Q sshd >/dev/null 2>&1
then
csih_select_privileged_username -q sshd
fi
sshd_user=$(csih_service_should_run_as sshd)
if ! setfacl -m "u::rwx,u:${sshd_user}:r--,g::---,o::---" \
"${pwdhome}/.ssh"
then
csih_error_multiline \
....
}
(a) if your service is installed, then you go directly to
csih_service_should_run_as with the (new, optional) argument 'sshd'
(b) otherwise, behavior is the "quiet but not silent" I described in my
last email -- and that all arises from calling
csih_select_privileged_username -q sshd -- which is why the client
(ssh-user-config) skips it if possible.
>>> svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
>>> svc_user="${svc_user/\.\\/$COMPUTERNAME}"
>>> svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
>> (a) csih_select_privileged_username (in CVS) already optionally accepts
>> the service name in addition to the -q option. Currently it is only used
>> to customize the Info: messages (see ${opt_servicename}, above). So
>> this is even easier to add than you imagine -- if it is truly desirable
>> to do so.
>>
>> (b) You could also do 'foo=$(cygrunsrv -V -L ${service} | sed -n
>> '/Account/p' | awk '{print $NF}'); foo=$(basename $foo)' which amounts
>> to the same thing.
>
> Urgh! Isn't it embarassing that *I* missed to use cygrunsrv for that?
Well, my version wasn't exactly right either. You need to (and the new,
not even in CVS yet version does) do this:
username=$(cygrunsrv -V -Q "${opt_servicename}" 2>&1 |\
sed -n -e '/^Account/s/^.* : //p')
username="${username/\.\\/${COMPUTERNAME}\\}"
# and then something like
[ "${username}" = "LocalSystem" ] \
&& username=SYSTEM \
|| username=$(fgrep "${username}" /etc/passwd | cut -d: -f 1)
>
>> (c) But what if ${service} has not yet been installed, even though [a]
>> common service account exists [perhaps used by some other installed
>> cygwin service]? Then you'd still need the existing logic...
>
> Right, but that should probably be a fallback.
Ok, that's the way it works now. But it is also why the user-config
client needs to check 'cygrunsrv -Q myservice' and call
csih_select_privileged_username -q myservice
if the service is not already installed.
> If the service exists,
> it could run under *any* account. It might be interesting for csih to
> check always for the user running the service, not only on 2k3 and
> above.
OK, csih_select_privileged_username only cares for users with the
special (required on nt2003) perms -- therefore, it still checks
is_nt20003 || (nt && force_privileged). However, if the service is
installed, then 'csih_service_should_run_as myservice' will return the
user it is installed under, regardless of OS.
(Well, 9x always returns "")
If the service is not installed, then the behavior of
sih_service_should_run_a is as before:
nt2003: find pre-existing 'well-known' privileged user and specify
that, or
default to cyg_server
nt && !nt2003 && !force_privileged: default to SYSTEM
!nt (e.g. 9x): ""
> For the ssh-user-config script you won't need it anymore. I have a
> hard time to see that a normal user should know or decide about stuff
> like that.
Well, with the incantation in compute_sshd_user() above, IF the admin
has already installed the service, then the user-config script will be
silent (at least with regards to these issues concerning the service's
user account.) It will only print messages (and perhaps ask questions
the user is ill-equipped to answer) if the user-config script is run but
the associated server has not been installed.
Of course, if you don't care what sshd_user is, then you don't call
either of
csih_select_privileged_username
csih_service_should_run_as
and it's guaranteed to be quiet. <g>
> Nothing of that is actually helpful or informative for a
> "just-a-user" user. And except for setting permissions (which isn't
> necessary!) I really think we should not call this function from pure
> user config scripts.
That's up to the maintainer of each csih client package. You don't want
to call these 'hey, what account is the server running as?' function,
you don't need to.
--
Chuck
P.S. "not even in CVS yet" -- because in anticipation of getting
approval from Corinna, Pierre, and Yaakov for explicitly specifying the
license terms of csih.sh, I went ahead an made those changes to NEWS,
COPYING, csih.sh, AUTHORS, etc.
Corinna: MIT/X ok
Pierre: MIT/X ok
Yaakov: ...
Yaakov?
Bueller?
Is this thing on?
<tap>, <tap>
hello?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-09 17:50 ` Matt Wozniski
@ 2008-04-09 18:52 ` Mark J. Reed
0 siblings, 0 replies; 18+ messages in thread
From: Mark J. Reed @ 2008-04-09 18:52 UTC (permalink / raw)
To: cygwin
On Wed, Apr 9, 2008 at 12:38 PM, Matt Wozniski <godlygeek@gmail.com> wrote:
> On Wed, Apr 9, 2008 at 12:20 PM, Mark J. Reed wrote:
> > Sorry for interrupting, but what is csih?
>
> First sentence of the first post of the thread:
...which I don't seem to have received, for some reason. The first
message I have is from Corrina, obviously a reply to Charles, but I
don't have Charles' message. Odd.
Thanks for the quote.
--
Mark J. Reed <markjreed@mail.com>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-09 16:38 ` Mark J. Reed
@ 2008-04-09 17:50 ` Matt Wozniski
2008-04-09 18:52 ` Mark J. Reed
0 siblings, 1 reply; 18+ messages in thread
From: Matt Wozniski @ 2008-04-09 17:50 UTC (permalink / raw)
To: cygwin
On Wed, Apr 9, 2008 at 12:20 PM, Mark J. Reed wrote:
> Sorry for interrupting, but what is csih?
First sentence of the first post of the thread:
csih (cygwin-service-installation-helper) provides a library of shell
functions that can be used by other cygwin packages that provide
servers and daemons. It can assist in various service installation
tasks, such as:
[snip]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-09 16:20 ` Corinna Vinschen
@ 2008-04-09 16:38 ` Mark J. Reed
2008-04-09 17:50 ` Matt Wozniski
2008-04-10 7:49 ` Charles Wilson
1 sibling, 1 reply; 18+ messages in thread
From: Mark J. Reed @ 2008-04-09 16:38 UTC (permalink / raw)
To: cygwin
Sorry for interrupting, but what is csih?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
2008-04-09 16:12 Charles Wilson
@ 2008-04-09 16:20 ` Corinna Vinschen
2008-04-09 16:38 ` Mark J. Reed
2008-04-10 7:49 ` Charles Wilson
0 siblings, 2 replies; 18+ messages in thread
From: Corinna Vinschen @ 2008-04-09 16:20 UTC (permalink / raw)
To: cygwin
On Apr 9 10:55, Charles Wilson wrote:
> On Wed, 9 Apr 2008 14:09:56 +0200, Corinna Vinschen wrote:
> >Looks ok, but I have a few questions/comments.
> >
> >- When the script starts, the following text appears:
> [snip verbose output]
> >However, I think the whole message is too noisy and confusing for
> >non-admins.
>
> That is odd. That particular text was mostly taken from ssh-host-config,
> and should only appear if your script calls
> csih_select_privileged_username() with no arguments (or if you are using
> csih-0.1.3, instead of CVS csih) -- that is, the way ssh-host-config
> calls it. The older version of csih_select_privileged_username ignores
> its arguments; the newer one honors the '-q' option that [my]
> ssh-user-config gives it. In which case, what you should see is
> something like the following (but only if nt2003 or
> csih_FORCE_PRIVILEGED_USER):
>
> *** Info: The following privileged accounts were found: ....
> *** Info: This script will assume that ${opt_servicename} will run under
> the"
> *** Info: '${username}' account."
> *** Query: Will ${opt_servicename} run under a different account?"
> [yes/no], if yes, then:
> *** Query: Enter the user name used by ${opt_servicename}:
>
> Hopefully, that's more acceptable for ssh-user-config?
My bad, I didn't update csih to CVS. I still think that's too much for
ssh-user-config. But since we don't need the setfacl anymore, that's
a moot point now.
> >Additionally, given that Cygwin opens
> >files always with BACKUP_INTENT for a while anyway, and given that the
> >service account is a member of the administrators group, which has
> >backup user rights, there's not much reason anymore to add the service
> >account to the ACL. I fear that's just old cruft in the ssh-user-script.
>
> Well, that's up to you. I wanted to do something that was as close to
> equivalent as the existing ssh-[host|user]-config, with only those
> changes necessary to support a common service account whose name might
> not be 'sshd_service'.
And that was really very nice. I'm not trying to critizise the general
approach. I just think we (that is: I) should get rid of the entire
message and the setfacl in ssh-user-config.
> >The query "Do you want to use different name?" is a bit upside down,
> >IMHO. The query should be rather phrased positively "Do you want to use
> >t name?"
>
> I already addressed this:
> http://cygwin.com/ml/cygwin/2008-03/msg00447.html
>
> Phrasing that question in the opposite sense breaks postinstall scripts,
> where auto_answer="no". That is:
>
> Do you want to use this name? <no>
> Enter the name you want to use: <hangs>
>
> ...and that would be bad. Now, the openssh package does not invoke its
> config scripts from /etc/postinstall, but others do. So I need to take
> care that the auto_answer="no" case never hangs.
Ok, agreed.
> > svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
> > svc_user="${svc_user/\.\\/$COMPUTERNAME}"
> > svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
>
> (a) csih_select_privileged_username (in CVS) already optionally accepts
> the service name in addition to the -q option. Currently it is only used
> to customize the Info: messages (see ${opt_servicename}, above). So
> this is even easier to add than you imagine -- if it is truly desirable
> to do so.
>
> (b) You could also do 'foo=$(cygrunsrv -V -L ${service} | sed -n
> '/Account/p' | awk '{print $NF}'); foo=$(basename $foo)' which amounts
> to the same thing.
Urgh! Isn't it embarassing that *I* missed to use cygrunsrv for that?
> (c) But what if ${service} has not yet been installed, even though [a]
> common service account exists [perhaps used by some other installed
> cygwin service]? Then you'd still need the existing logic...
Right, but that should probably be a fallback. If the service exists,
it could run under *any* account. It might be interesting for csih to
check always for the user running the service, not only on 2k3 and
above.
> Furthermore, remember that these routines are shared between (the more
> common) install-a-service config scripts, and (less common) user config
> scripts like ssh-user-config. In the former [common] case, assuming
> ${service} is not installed, you will always need the existing logic.
For the ssh-user-config script you won't need it anymore. I have a
hard time to see that a normal user should know or decide about stuff
like that. Nothing of that is actually helpful or informative for a
"just-a-user" user. And except for setting permissions (which isn't
necessary!) I really think we should not call this function from pure
user config scripts.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
@ 2008-04-09 16:12 Charles Wilson
2008-04-09 16:20 ` Corinna Vinschen
0 siblings, 1 reply; 18+ messages in thread
From: Charles Wilson @ 2008-04-09 16:12 UTC (permalink / raw)
To: cygwin
On Wed, 9 Apr 2008 14:09:56 +0200, Corinna Vinschen wrote:
>Looks ok, but I have a few questions/comments.
>
>- When the script starts, the following text appears:
[snip verbose output]
>However, I think the whole message is too noisy and confusing for
>non-admins.
That is odd. That particular text was mostly taken from ssh-host-config,
and should only appear if your script calls
csih_select_privileged_username() with no arguments (or if you are using
csih-0.1.3, instead of CVS csih) -- that is, the way ssh-host-config
calls it. The older version of csih_select_privileged_username ignores
its arguments; the newer one honors the '-q' option that [my]
ssh-user-config gives it. In which case, what you should see is
something like the following (but only if nt2003 or
csih_FORCE_PRIVILEGED_USER):
*** Info: The following privileged accounts were found: ....
*** Info: This script will assume that ${opt_servicename} will run under
the"
*** Info: '${username}' account."
*** Query: Will ${opt_servicename} run under a different account?"
[yes/no], if yes, then:
*** Query: Enter the user name used by ${opt_servicename}:
Hopefully, that's more acceptable for ssh-user-config?
>The default user doesn't actually know which user name the
>sshd service is running under.
Well, maybe. But what if ssh-host-config hasn't yet been run? see below.
>Additionally, given that Cygwin opens
>files always with BACKUP_INTENT for a while anyway, and given that the
>service account is a member of the administrators group, which has
>backup user rights, there's not much reason anymore to add the service
>account to the ACL. I fear that's just old cruft in the ssh-user-script.
Well, that's up to you. I wanted to do something that was as close to
equivalent as the existing ssh-[host|user]-config, with only those
changes necessary to support a common service account whose name might
not be 'sshd_service'.
Now, as to:
>The query "Do you want to use different name?" is a bit upside down,
>IMHO. The query should be rather phrased positively "Do you want to use
>t name?"
I already addressed this:
http://cygwin.com/ml/cygwin/2008-03/msg00447.html
Phrasing that question in the opposite sense breaks postinstall scripts,
where auto_answer="no". That is:
Do you want to use this name? <no>
Enter the name you want to use: <hangs>
...and that would be bad. Now, the openssh package does not invoke its
config scripts from /etc/postinstall, but others do. So I need to take
care that the auto_answer="no" case never hangs.
>But, here's a question: Shouldn't the csih_privileged_accounts() function
>check the service itself, rather than testing possible names with `net
>user'? It would be as simple as giving csih_privileged_accounts the
>service name as $1 argument, and then extract the user name with something
>along the lines of
>
> svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
> svc_user="${svc_user/\.\\/$COMPUTERNAME}"
> svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
(a) csih_select_privileged_username (in CVS) already optionally accepts
the service name in addition to the -q option. Currently it is only used
to customize the Info: messages (see ${opt_servicename}, above). So
this is even easier to add than you imagine -- if it is truly desirable
to do so.
(b) You could also do 'foo=$(cygrunsrv -V -L ${service} | sed -n
'/Account/p' | awk '{print $NF}'); foo=$(basename $foo)' which amounts
to the same thing.
(c) But what if ${service} has not yet been installed, even though [a]
common service account exists [perhaps used by some other installed
cygwin service]? Then you'd still need the existing logic...
Furthermore, remember that these routines are shared between (the more
common) install-a-service config scripts, and (less common) user config
scripts like ssh-user-config. In the former [common] case, assuming
${service} is not installed, you will always need the existing logic.
If csih_select_privileged_username() short-circuits the existing logic
when ${service} is already installed, then you can never change the user
under which ${service} runs, without first de-registering ${service}.
Maybe that's a good thing, but right now (and in the exising
ssh-host-config) I *think* you can run it "again" and choose a different
user, and cygrunsrv will happily modify the existing registered
${service}. I didn't think it was my place to make that behavior
change.
But as I said, maybe it's a GOOD thing to disallow that, without
explicitly deregistering ${service} first.
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2008-04-10 4:57 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-04-03 0:03 [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
2008-04-03 4:52 ` Charles Wilson
2008-04-03 8:55 ` Corinna Vinschen
2008-04-07 15:30 ` Corinna Vinschen
2008-04-08 1:20 ` Charles Wilson
2008-04-08 2:26 ` Attn: cygport, openssh, and exim/cron maintainers [Was: [ANNOUNCEMENT] Updated: csih-0.1.3-1] Charles Wilson
2008-04-08 8:12 ` Corinna Vinschen
2008-04-08 5:32 ` [ANNOUNCEMENT] Updated: csih-0.1.3-1 Charles Wilson
2008-04-08 8:13 ` Corinna Vinschen
2008-04-09 12:14 ` Corinna Vinschen
2008-04-08 6:22 ` Charles Wilson
2008-04-08 8:13 ` Corinna Vinschen
2008-04-09 16:12 Charles Wilson
2008-04-09 16:20 ` Corinna Vinschen
2008-04-09 16:38 ` Mark J. Reed
2008-04-09 17:50 ` Matt Wozniski
2008-04-09 18:52 ` Mark J. Reed
2008-04-10 7:49 ` Charles Wilson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).