From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22081 invoked by alias); 7 Aug 2008 16:42:00 -0000 Received: (qmail 22073 invoked by uid 22791); 7 Aug 2008 16:42:00 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Thu, 07 Aug 2008 16:41:25 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 706AD6D4354; Thu, 7 Aug 2008 18:42:41 +0200 (CEST) Date: Thu, 07 Aug 2008 17:43:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Message-ID: <20080807164241.GK3806@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489B20AC.9080902@cwilson.fastmail.fm> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-08/txt/msg00215.txt.bz2 On Aug 7 12:19, Charles Wilson wrote: > Corinna Vinschen wrote: >> Well, hmm. In theory, admins have backup/restore rights anyway. >> However, I was just thinking that csih should get rid of points of >> failure which are not entirely necessary, like the checks for denied >> user rights. If you think the test is necessary, just stick to it. > > Well, part of the purpose of the foo-config scripts is to diagnose -- if > the foo-config script succeeds without error, then one would expect that > the installed service will, in fact, operate correctly. It's much worse to > have a user run ssh-host-config which /apparently/ succeeds, only to have > the service fail to start or operate correctly. > > So, I think /some/ version of this test should remain. However, if the > Administrators GROUP is not present in the /etc/passwd file -- that's not a > failure, so long as the Administrator and/or SYSTEM have the desired access > to the file (as well as the file's owner). > > So, I can see csih_get_system_and_admins_ids() reporting success if it > finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating > ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing. > > Then, csih_check_access (and all other users of ADMIN-UID) would > special-case against empty. > > We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in > both /etc/group and /etc/passwd, right? Yes. I'm just wondering if we shouldn't check for the Admins group only. The token of the SYSTEM user always contains the Admins group and the cyg_server (or whatever the name is) user is always (and should always) be created as member of the admins group, too. So, if I didn't miss anything important, the check could be reduced to checking for the admins group permissions. Does that make sense? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/