From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7855 invoked by alias); 23 Jan 2017 03:13:11 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 7845 invoked by uid 89); 23 Jan 2017 03:13:10 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.2 required=5.0 tests=BAYES_05,SPF_SOFTFAIL autolearn=no version=3.3.2 spammy=2017-01-23, 20170123, UD:orig, H*RU:0.0.0.0 X-HELO: cyan.apple.relay.mailchannels.net Received: from cyan.apple.relay.mailchannels.net (HELO cyan.apple.relay.mailchannels.net) (23.83.208.47) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 23 Jan 2017 03:13:00 +0000 X-Sender-Id: fastwebhost|x-authuser|superbas@shaddybaddah.name Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 38899120790 for ; Mon, 23 Jan 2017 03:12:58 +0000 (UTC) Received: from svr156.edns1.com (ip-10-229-2-62.us-west-2.compute.internal [10.229.2.62]) by relay.mailchannels.net (Postfix) with ESMTPA id 88E59120EB6 for ; Mon, 23 Jan 2017 03:12:56 +0000 (UTC) X-Sender-Id: fastwebhost|x-authuser|superbas@shaddybaddah.name Received: from svr156.edns1.com (svr156.edns1.com [10.133.131.231]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.7.8); Mon, 23 Jan 2017 03:12:57 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: fastwebhost|x-authuser|superbas@shaddybaddah.name X-MailChannels-Auth-Id: fastwebhost X-MC-Loop-Signature: 1485141176752:1428757471 X-MC-Ingress-Time: 1485141176752 Received: from 220-245-251-204.static.tpgi.com.au ([220.245.251.204]:56288 helo=[0.0.0.0]) by svr156.edns1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1cVV3s-001VD2-SW for cygwin@cygwin.com; Sun, 22 Jan 2017 20:12:53 -0700 Subject: Re: ssh-host-config: patch fix debug option + broken for me on Vista (non-domain) To: cygwin@cygwin.com References: <20170119181643.GB25162@calimero.vinschen.de> From: Shaddy Baddah Message-ID: <252a5384-0979-7912-18ca-b8ceeccdb016@shaddybaddah.name> Date: Mon, 23 Jan 2017 03:13:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Icedove/45.6.0 MIME-Version: 1.0 In-Reply-To: <20170119181643.GB25162@calimero.vinschen.de> Content-Type: multipart/mixed; boundary="------------A915A5E5AD184127DFD1C552" X-AuthUser: superbas@shaddybaddah.name X-SW-Source: 2017-01/txt/msg00283.txt.bz2 --------------A915A5E5AD184127DFD1C552 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-length: 4274 Hi, On 20/01/17 05:16, Corinna Vinschen wrote: > On Jan 19 22:26, Shaddy Baddah wrote: >> >> Hi, >> >> On 19/01/17 21:38, Corinna Vinschen wrote: >>> On Jan 18 14:34, Shaddy Baddah wrote: >> ... >> >>>> And I'm sure the problem is that this well-intended change to the script >>>> fails on the assumption that LOGONSERVER is always populated. It isn't >>>> for me on Vista. >>>> >>>> cygwin-service-installation-helper.sh:2884: # This test succeeds on >>>> domain member machines only, not on DCs. >>>> cygwin-service-installation-helper.sh:2885: if [ >>>> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \ >>>> cygwin-service-installation-helper.sh:2886: -a "${LOGONSERVER}" != >>>> "\\\\MicrosoftAccount" ] >>>> cygwin-service-installation-helper.sh:2887: then >>>> cygwin-service-installation-helper.sh:2888: # Lowercase of USERDOMAIN >>>> cygwin-service-installation-helper.sh:2889: >>>> csih_PRIVILEGED_USERNAME="${COMPUTERNAME,,*}+${username}" >>>> cygwin-service-installation-helper.sh:2890: fi >>>> cygwin-service-installation-helper.sh:2891: fi >>>> >>>> I fixed this by modifying the test to check LOGONSERVER is not empty: >>>> >>>> if [ -n "${LOGONSERVER}" -a "\\\\... >>>> >>>> Can this be fixed in the next release? >>> >>> Sure, please provide a patch, I'll check it in and release a new csih >>> soonish. >> >> I would, but there's a couple of hitches. Without understanding the >> syntax (and I should bring up the bash man page here, I will do after >> this), I can't be sure that the following test: >> >> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" >> >> wasn't designed to handled an empty LOGONSERVER variable. > > No, it wasn't. The idea is that if LOGONSERVER == COMPUTERNAME your > machine is not in a domain. Actually, I *never* encountered an environment > in which LOGONSERVER isn't set. Are you sure this isn't just some kind > of misconfiguration? I don't think Cygwin is the only application > checking for LOGONSERVER. Sorry, yep, it's to check that it is not in a domain. The ',,' is just a bonus case conversion to guarantee that case doesn't thrown the comparison (I wasn't familiar with it). On 21/01/17 09:40, szgyg wrote: > On 1/19/2017 7:16 PM, Corinna Vinschen wrote: >> The idea is that if LOGONSERVER == COMPUTERNAME your >> machine is not in a domain. Actually, I *never* encountered an >> environment >> in which LOGONSERVER isn't set. > > It's empty if you're using RunAs. Thank you szgyg. This is on the right track. There is a variation. I didn't use the RunAs command. Instead I did what I think is the almost 100% use case for running ssh-host-config. Which is to launch mintty by select "Run as administrator", elevate privilege to allow the script to add users and services, etc. The difference is as follows. And I test for this. I login to the desktop as a non-administrator. When I select "Run as administrator" I am prompted to enter a password for (one of) the administrator users. That mintty (and cmd prompt too obviously) do not have LOGONSERVER set. If I login to the desktop as administrator user, and "Run as administrator", LOGONSERVER is set. Also, there is another use case which I haven't tried, but I would feel would result in no LOGONSERVER as well... not sure. I can try it as I complete this email... That is logging in to an administrator user via ssh itself. OK, it doesn't make sense for the purpose of runnng ssh-host-config (you've obviously already got ssh server running), but just to cover bases... I've tried it, and LOGONSERVER is set. So it seems LOGONSERVER isn't set if you RunAs, from the desktop, as a different user. As an aside... doesn't seem like the administrator user has the elevated privileges anymore. It was the case in the past. I never picked up on that change. To that end, please find attached the patch to fix the LOGONSERVER problem. I think it should be fine for a domain environment. Because if you run as a domain assigned local administrator, LOGONSERVER will be set, even on a "Run as administrator". If you just run as a local computer administrator (whatever the accurate terminology is here), then you will have an empty LOGONSERVER and the script will run for the local user. -- Regards, Shaddy --------------A915A5E5AD184127DFD1C552 Content-Type: text/x-patch; name="fix-ssh-host-config-LOGONSERVER.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-ssh-host-config-LOGONSERVER.diff" Content-length: 550 --- cygwin-service-installation-helper.sh.orig 2015-10-28 20:23:49.000000000 +1100 +++ cygwin-service-installation-helper.sh 2017-01-23 13:54:19.334891100 +1100 @@ -2882,7 +2882,8 @@ if ! csih_use_file_etc "passwd" then # This test succeeds on domain member machines only, not on DCs. - if [ "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \ + if [ -n "${LOGONSERVER}" \ + -a "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \ -a "${LOGONSERVER}" != "\\\\MicrosoftAccount" ] then # Lowercase of USERDOMAIN --------------A915A5E5AD184127DFD1C552 Content-Type: text/plain; charset=us-ascii Content-length: 219 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple --------------A915A5E5AD184127DFD1C552--