From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23345 invoked by alias); 8 Aug 2008 08:38:55 -0000 Received: (qmail 23334 invoked by uid 22791); 8 Aug 2008 08:38:54 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Fri, 08 Aug 2008 08:38:14 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 5CEFE6D4354; Fri, 8 Aug 2008 10:39:36 +0200 (CEST) Date: Fri, 08 Aug 2008 09:20:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Message-ID: <20080808083936.GN3806@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm> <20080807164241.GK3806@calimero.vinschen.de> <489B29F1.909@cwilson.fastmail.fm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489B29F1.909@cwilson.fastmail.fm> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-08/txt/msg00239.txt.bz2 On Aug 7 12:59, Charles Wilson wrote: > Corinna Vinschen wrote: >>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in >>> both /etc/group and /etc/passwd, right? >> Yes. I'm just wondering if we shouldn't check for the Admins group >> only. The token of the SYSTEM user always contains the Admins group and >> the cyg_server (or whatever the name is) user is always (and should >> always) be created as member of the admins group, too. So, if I didn't >> miss anything important, the check could be reduced to checking for the >> admins group permissions. Does that make sense? > > It makes sense -- if the following assertion is true for NT/2k/XP, as well > as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7: > > Admins group access to a file (-...[rwx]... as specified by $2 if group > ownership of the file is Administrators, or a sufficient group token in the > extended ACLs is present as determined by getfacl) is necessary and > sufficient for the SYSTEM user (and/or the special privileged user) to > access the file, regardless of the file's actual owner. That should be the case. The SYSTEM user token always contains the Administrators group in its group list, so the SYSTEM user has (at least) all permissions the Admins group has. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/