From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3371 invoked by alias); 7 Aug 2008 17:00:20 -0000 Received: (qmail 3341 invoked by uid 22791); 7 Aug 2008 17:00:17 -0000 X-Spam-Check-By: sourceware.org Received: from out1.smtp.messagingengine.com (HELO out1.smtp.messagingengine.com) (66.111.4.25) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 07 Aug 2008 16:59:38 +0000 Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 2D8C1155D01 for ; Thu, 7 Aug 2008 12:59:37 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Thu, 07 Aug 2008 12:59:37 -0400 Received: from [192.168.1.3] (user-0c6suln.cable.mindspring.com [24.110.122.183]) by mail.messagingengine.com (Postfix) with ESMTPSA id 9FB8A13783; Thu, 7 Aug 2008 12:59:36 -0400 (EDT) Message-ID: <489B29F1.909@cwilson.fastmail.fm> Date: Thu, 07 Aug 2008 17:53:00 -0000 From: Charles Wilson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) References: <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm> <20080807164241.GK3806@calimero.vinschen.de> In-Reply-To: <20080807164241.GK3806@calimero.vinschen.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-08/txt/msg00216.txt.bz2 Corinna Vinschen wrote: >> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in >> both /etc/group and /etc/passwd, right? > > Yes. I'm just wondering if we shouldn't check for the Admins group > only. The token of the SYSTEM user always contains the Admins group and > the cyg_server (or whatever the name is) user is always (and should > always) be created as member of the admins group, too. So, if I didn't > miss anything important, the check could be reduced to checking for the > admins group permissions. Does that make sense? It makes sense -- if the following assertion is true for NT/2k/XP, as well as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7: Admins group access to a file (-...[rwx]... as specified by $2 if group ownership of the file is Administrators, or a sufficient group token in the extended ACLs is present as determined by getfacl) is necessary and sufficient for the SYSTEM user (and/or the special privileged user) to access the file, regardless of the file's actual owner. -- Chuck -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/