From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4740 invoked by alias); 7 Aug 2008 15:47:46 -0000 Received: (qmail 4719 invoked by uid 22791); 7 Aug 2008 15:47:43 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Thu, 07 Aug 2008 15:47:08 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id D23BD6D4354; Thu, 7 Aug 2008 17:48:23 +0200 (CEST) Date: Thu, 07 Aug 2008 16:24:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Message-ID: <20080807154823.GI3806@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de> <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489B13F4.4030002@cwilson.fastmail.fm> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-08/txt/msg00212.txt.bz2 On Aug 7 11:25, Charles Wilson wrote: > Corinna Vinschen wrote: >> Hi Chuck, >> On Aug 4 21:31, Charles Wilson wrote: >>> Corinna Vinschen wrote: >>>> Btw., there's a test for the administrators group in /etc/passwd. > > >>> I don't see this. I see testing /etc/passwd for the (local) Administrator >>> USER, and testing /etc/group for the Administrators GROUP, but not >>> /etc/passwd <-> Administrators GROUP. >>> >>> More info please? >> Function csih_get_system_and_admins_ids(), last test: >> csih_ADMINSUID=$(sed -ne >> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' >> /etc/passwd) >> csih_SYSTEMUID=$(sed -ne >> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' >> /etc/passwd) >> if [ -z "$csih_ADMINSUID" -o -z "$csih_SYSTEMUID" ] >> then >> [...] >> The function csih_get_system_and_admins_ids is called by >> csih_check_access() and requires the above test being successful. > > Ah -- those lines are testing /etc/passwd for the Administrator USER. You > originally said 'administrators group'. Hence my confusion. No, the above lines are checking for the passwd entry for the administrators group. S-1-5-32-544 is the SID of that group. The SID for the Administrator user is S-1-5-21-X-Y-Z-500. > Now, about csih_check_access() -- without exact knowledge of > csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then > the whole csih_check_access() test can't be computed. > > If you make those GID/UID vars "optional" (e.g. not a failure if missing), > and then skip the relevant tests in csih_check_access, you might as well > just abandon the test entirely. Is that what we want to do? Never bother > to check for SYSTEM/Administrator access to the specified files? > > e.g. > /var/run > /var/log > /var/empty > > Somehow that doesn't seem right. Well, hmm. In theory, admins have backup/restore rights anyway. However, I was just thinking that csih should get rid of points of failure which are not entirely necessary, like the checks for denied user rights. If you think the test is necessary, just stick to it. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/