[nfs-server] Hazardous changes introduced in 2.3-6

[jcwilson.cygwin@nym.hush.com]

I have been using the 32-bit version nfs-server 2.3-5 package successfully for the past few months to share my Cygwin filesystem with a locally hosted VirtualBox VM. So I was pleased to see that the nfs-server package had finally made it into the 64-bit Cygwin release. However, there was an unexpected change that caused some major headaches for me when I tried to replicate my setup with the new 2.3-6 package.

Specifically, these lines that were added to the nfs-server-config script:

    editrights -u ${NFSD_USER} -a SeDenyInteractiveLogonRight
    editrights -u ${NFSD_USER} -a SeDenyRemoteInteractiveLogonRight

In my 2.3-5 configuration I had installed the 3 cygrunsrv services (portmap, rpc.nfsd, rpc.mountd) to use my login account as the services' user. However, using the same configuration in 2.3-6 had the nasty side-effect of locking me out of my own system the next time I had to log in to my computer. This effect is not documented anywhere that I could find. Furthermore this seems like an error-prone default since the 2.3-6 nfs-server-config now forces the user to specify an account to use as the service user. (the 2.3-5 version offered the initial option of just using the System account, I believe).

Upon attempting to log back in I was presented with the following error message after entering my password: "The sign-in method you're trying to use isn't allowed. For more info, contact your network administrator."

As someone who had not enabled the builtin Admin account for login and only had the one user login account, this was a harrowing experience that I was luckily able to recover from with the help of some youtube videos and some bizarre security decisions on Microsoft's part.

Can we discuss removing these two lines, or at least provide a way to opt out of applying them if the user so desires? Ideally, it would be an opt-in, I would think, given the potential for danger. The reason I am using my local login account as the service user is because I am sharing directories from within my Windows home directory in a RW fashion. The System user has difficulty getting permissions to perform the necessary operations.

All other changes to the new 2.3-6 are for the better. In fact, it seems to handle VirtualBox virtual ethernet adapters much better than the 32-bit version. And I no longer have to perform a system restart for some nfsd settings to take effect. Thank you for work on this project. I just want to do my part to make it better, too.

Also, one other thing I noticed is that the src package for 2.3-6 does not seem to actually include the correct src.tar.bz2 file. Instead, it still only includes the 2.3-5 bz2 file. As such, it's impossible to attempt to submit a patch to correct this problem.

-Josh

(I apologize if this appears a second time in the mailing list. I don't see the first post I made on 5/27 in the archives yet and I'm not sure it made it out to the list)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple