From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1743 invoked by alias); 7 Aug 2008 16:20:46 -0000 Received: (qmail 1722 invoked by uid 22791); 7 Aug 2008 16:20:46 -0000 X-Spam-Check-By: sourceware.org Received: from out1.smtp.messagingengine.com (HELO out1.smtp.messagingengine.com) (66.111.4.25) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 07 Aug 2008 16:20:06 +0000 Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 98DCA155D5B for ; Thu, 7 Aug 2008 12:20:04 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Thu, 07 Aug 2008 12:20:04 -0400 Received: from [192.168.1.3] (user-0c6suln.cable.mindspring.com [24.110.122.183]) by mail.messagingengine.com (Postfix) with ESMTPSA id 032D213F29; Thu, 7 Aug 2008 12:20:03 -0400 (EDT) Message-ID: <489B20AC.9080902@cwilson.fastmail.fm> Date: Thu, 07 Aug 2008 16:42:00 -0000 From: Charles Wilson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) References: <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de> <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> In-Reply-To: <20080807154823.GI3806@calimero.vinschen.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-08/txt/msg00213.txt.bz2 Corinna Vinschen wrote: > No, the above lines are checking for the passwd entry for the > administrators group. S-1-5-32-544 is the SID of that group. > The SID for the Administrator user is S-1-5-21-X-Y-Z-500. D'oh. Right. >> Now, about csih_check_access() -- without exact knowledge of >> csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then >> the whole csih_check_access() test can't be computed. >> >> If you make those GID/UID vars "optional" (e.g. not a failure if missing), >> and then skip the relevant tests in csih_check_access, you might as well >> just abandon the test entirely. Is that what we want to do? Never bother >> to check for SYSTEM/Administrator access to the specified files? >> >> e.g. >> /var/run >> /var/log >> /var/empty >> >> Somehow that doesn't seem right. > > Well, hmm. In theory, admins have backup/restore rights anyway. > However, I was just thinking that csih should get rid of points of > failure which are not entirely necessary, like the checks for denied > user rights. If you think the test is necessary, just stick to it. Well, part of the purpose of the foo-config scripts is to diagnose -- if the foo-config script succeeds without error, then one would expect that the installed service will, in fact, operate correctly. It's much worse to have a user run ssh-host-config which /apparently/ succeeds, only to have the service fail to start or operate correctly. So, I think /some/ version of this test should remain. However, if the Administrators GROUP is not present in the /etc/passwd file -- that's not a failure, so long as the Administrator and/or SYSTEM have the desired access to the file (as well as the file's owner). So, I can see csih_get_system_and_admins_ids() reporting success if it finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing. Then, csih_check_access (and all other users of ADMIN-UID) would special-case against empty. We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in both /etc/group and /etc/passwd, right? -- Chuck -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/