Re: ssh-host-config: patch fix debug option + broken for me on Vista (non-domain)

[Shaddy Baddah <superbas@shaddybaddah.name>]

[-- Attachment #1: Type: text/plain, Size: 4274 bytes --]

Hi,


On 20/01/17 05:16, Corinna Vinschen wrote:
> On Jan 19 22:26, Shaddy Baddah wrote:
>>
>> Hi,
>>
>> On 19/01/17 21:38, Corinna Vinschen wrote:
>>> On Jan 18 14:34, Shaddy Baddah wrote:
>> ...
>>
>>>> And I'm sure the problem is that this well-intended change to the script
>>>> fails on the assumption that LOGONSERVER is always populated. It isn't
>>>> for me on Vista.
>>>>
>>>> cygwin-service-installation-helper.sh:2884:      # This test succeeds on
>>>> domain member machines only, not on DCs.
>>>> cygwin-service-installation-helper.sh:2885:      if [
>>>> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
>>>> cygwin-service-installation-helper.sh:2886:        -a "${LOGONSERVER}" !=
>>>> "\\\\MicrosoftAccount" ]
>>>> cygwin-service-installation-helper.sh:2887:      then
>>>> cygwin-service-installation-helper.sh:2888:     # Lowercase of USERDOMAIN
>>>> cygwin-service-installation-helper.sh:2889:
>>>> csih_PRIVILEGED_USERNAME="${COMPUTERNAME,,*}+${username}"
>>>> cygwin-service-installation-helper.sh:2890:      fi
>>>> cygwin-service-installation-helper.sh:2891:    fi
>>>>
>>>> I fixed this by modifying the test to check LOGONSERVER is not empty:
>>>>
>>>> if [ -n "${LOGONSERVER}" -a "\\\\...
>>>>
>>>> Can this be fixed in the next release?
>>>
>>> Sure, please provide a patch, I'll check it in and release a new csih
>>> soonish.
>>
>> I would, but there's a couple of hitches. Without understanding the
>> syntax (and I should bring up the bash man page here, I will do after
>> this), I can't be sure that the following test:
>>
>> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}"
>>
>> wasn't designed to handled an empty LOGONSERVER variable.
>
> No, it wasn't.  The idea is that if LOGONSERVER == COMPUTERNAME your
> machine is not in a domain.  Actually, I *never* encountered an environment
> in which LOGONSERVER isn't set.  Are you sure this isn't just some kind
> of misconfiguration?  I don't think Cygwin is the only application
> checking for LOGONSERVER.

Sorry, yep, it's to check that it is not in a domain. The ',,' is just a
bonus case conversion to guarantee that case doesn't thrown the
comparison (I wasn't familiar with it).

On 21/01/17 09:40, szgyg wrote:
 > On 1/19/2017 7:16 PM, Corinna Vinschen wrote:
 >> The idea is that if LOGONSERVER == COMPUTERNAME your
 >> machine is not in a domain.  Actually, I *never* encountered an
 >> environment
 >> in which LOGONSERVER isn't set.
 >
 > It's empty if you're using RunAs.

Thank you szgyg. This is on the right track. There is a variation. I
didn't use the RunAs command.

Instead I did what I think is the almost 100% use case for running
ssh-host-config. Which is to launch mintty by select "Run as
administrator", elevate privilege to allow the script to add users and
services, etc.

The difference is as follows. And I test for this. I login to the
desktop as a non-administrator. When I select "Run as administrator" I
am prompted to enter a password for (one of) the administrator users.

That mintty (and cmd prompt too obviously) do not have LOGONSERVER set.

If I login to the desktop as administrator user, and "Run as
administrator", LOGONSERVER is set.

Also, there is another use case which I haven't tried, but I would feel
would result in no LOGONSERVER as well... not sure. I can try it as I
complete this email...

That is logging in to an administrator user via ssh itself. OK, it
doesn't make sense for the purpose of runnng ssh-host-config (you've
obviously already got ssh server running), but just to cover bases...
I've tried it, and LOGONSERVER is set.

So it seems LOGONSERVER isn't set if you RunAs, from the desktop, as a
different user.

As an aside... doesn't seem like the administrator user has the elevated
privileges anymore. It was the case in the past. I never picked up on
that change.

To that end, please find attached the patch to fix the LOGONSERVER
problem. I think it should be fine for a domain environment. Because if
you run as a domain assigned local administrator, LOGONSERVER will be
set, even on a "Run as administrator".

If you just run as a local computer administrator (whatever the
accurate terminology is here), then you will have an empty LOGONSERVER
and the script will run for the local user.

-- 
Regards,
Shaddy


[-- Attachment #2: fix-ssh-host-config-LOGONSERVER.diff --]
[-- Type: text/x-patch, Size: 550 bytes --]

--- cygwin-service-installation-helper.sh.orig	2015-10-28 20:23:49.000000000 +1100
+++ cygwin-service-installation-helper.sh	2017-01-23 13:54:19.334891100 +1100
@@ -2882,7 +2882,8 @@
     if ! csih_use_file_etc "passwd"
     then
       # This test succeeds on domain member machines only, not on DCs.
-      if [ "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
+      if [ -n "${LOGONSERVER}" \
+	   -a "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
 	   -a "${LOGONSERVER}" != "\\\\MicrosoftAccount" ]
       then
 	# Lowercase of USERDOMAIN


[-- Attachment #3: Type: text/plain, Size: 219 bytes --]


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple