csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)]

[Charles Wilson <cygwin@cwilson.fastmail.fm>]

Charles Wilson wrote:
> Corinna Vinschen wrote:
>>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) 
>>> in both /etc/group and /etc/passwd, right?
>>
>> Yes.  I'm just wondering if we shouldn't check for the Admins group
>> only.  The token of the SYSTEM user always contains the Admins group and
>> the cyg_server (or whatever the name is) user is always (and should
>> always) be created as member of the admins group, too.  So, if I didn't
>> miss anything important, the check could be reduced to checking for the
>> admins group permissions.  Does that make sense?
> 
> It makes sense -- if the following assertion is true for NT/2k/XP, as 
> well as more modern versions of Windows, for both cygwin-1.5 and 
> cygwin-1.7:
> 
> Admins group access to a file (-...[rwx]... as specified by $2 if group 
> ownership of the file is Administrators, or a sufficient group token in 
> the extended ACLs is present as determined by getfacl) is necessary and 
> sufficient for the SYSTEM user (and/or the special privileged user) to 
> access the file, regardless of the file's actual owner.

Well, the changes are piling up in this release, so all I implemented 
with regards to this specific issue was

   (1) csih_get_system_and_admins_ids() doesn't fail if it can't find 
the Administrators group entry in /etc/passwd
   (2) csih_check_access() skips checking if the file is owned by the 
Adminstrators group when csih_ADMINSUID is empty.

We can address the finer points of this issue -- and probably others -- 
in 0.1.7.

I've uploaded csih-0.1.6 as a test release, but I do not imagine it will 
survive to curr: without changes. (e.g. it is most likely broken. I hope 
not, but...my testing environment is limited.)  Please test and send 
patches for a better 0.1.7.  Also see FIXME in 
csih_create_unprivileged_user.


Here's the change log and news:

NEWS

     * more permissions tweaks for privileged user:
     See http://cygwin.com/ml/cygwin/2008-06/msg00453.html
     Users of earlier versions of csih may need to manually
     adjust their existing privileged users. Again:
         editrights -r SeDenyNetworkLogonRight -u cyg_server
         editrights -r SeDenyInteractiveLogonRight -u cyg_server
         editrights -r SeIncreaseQuotaPrivilege -u cyg_server

     * Even on NT/2k/XP, prefer to use "privileged" user (cyg_server,
     sshd_server, cron_server, etc) if a suitable such user already
     exists.  If not, then for these older OS's, fall back to SYSTEM.
     As always, by setting csih_FORCE_PRIVILEGED_USER -- usually done
     by the calling script via a command line argument, such as
         /usr/bin/iu-config -privileged
     the user can force NT/2k/XP to behave as Vista or Server2008: a
     privileged user is required, and if one does not exist it will
     be created.

     * Also accept privileged accounts that exist only in /etc/passwd and
     are not present in the local SAM.  That is, accept pre-existing
     privileged domain accounts.

     * New utility program: getVolInfo
     http://cygwin.com/ml/cygwin/2007-08/msg00040.html

     * New function: csih_path_supports_acls() returns 0 (success)
     if the specified path is located on a volume that supports
     ACLs. Uses getVolInfo. Behavior can be modified, when getVolInfo
     is incorrect, by setting user-accessible variables:
         csih_WIN32_VOLS_WITH_ACLS
         csih_WIN32_VOLS_WITHOUT_ACLS
     which each may contain ;-separated lists of win32 paths,
     specifying volumes in the relevant category.

     * It is no longer a fatal error if, when checking the
     permissions or access rights of a file or directory, the
     target is located on a volume that does not support ACLs.
     A warning is issued, but operation continues.

     * The Administrators group is no longer required to be in
     /etc/passwd. However, it is still required in /etc/group.
     SYSTEM is (still) required in both /etc/passwd and /etc/group.

ChangeLog

2008-08-07  Charles Wilson  <...>

         Add getVolInfo utility program. Use it to avoid
         checking permissions on volumes that do not support ACLs.

         * csih.sh (main): update documentation.
         (csih_WIN32_VOLS_WITH_ACLS): new client-accessible var.
         (csih_WIN32_VOLS_WITHOUT_ACLS): ditto.
         (csih_path_supports_acls): new function.
         (_csih_convert_w32vol_to_shell_pattern): new function.
         (_csih_path_in_volumelist_core): new function.
         (_csih_path_in_volumelist): new function.
         (csih_get_system_and_admins_ids): update comments.
         No longer an error if Administrators group is not found
         in /etc/passwd.
         (_csih_warning_for_win9x_perms): new function.
         (_csih_warning_for_missing_ACL_support): new function.
         (csih_check_dir_perms): bail out early (returning success
         but with a warning) if on OS older than windows NT, or the
         specified file/dir is on a volume that does not support ACLs.
         (csih_check_access): ditto. Also, improve comments. If
         csih_ADMINSUID is empty, gracefully skip checking if file/dir
         is owned by the Administrators group.
         * cygwin/Makefile: new file.
         * cygwin/getVolInfo.c: new file.
         * COPYING: update documentation.
         * NEWS: update documentation.

2008-08-04  Charles Wilson  <...>

         Accept pre-existing privileged domain accounts.
         Default to privileged account on NT/2k/XP if exist.

         * csih.sh (csih_privileged_accounts): Always look
         for privileged users if NT or better. Look in both
         /etc/passwd and local SAM.
         (csih_privileged_account_exists): Update documentation
         to reflect behavior change inherited from above.
         (csih_select_privileged_username): Attempt to return
         a username even on NT/2k/XP (but default to empty if
         no pre-existing privileged user on those OS's). Be more
         specific in the informational messages emitted. Look
         in both /etc/passwd and local SAM for accounts, if user
         specified one we don't know about already.
         (csih_create_privileged_user): Improve comments.
         (csih_create_unprivileged_user): Improve comments.
         See FIXME! (remove this line from ChangeLog when resolved)
         (csih_service_should_run_as): Improve comments. Check
         both /etc/passwd and local SAM if "answer" is an account
         that did not exist when script was launched. For NT/2k/XP,
         default to pre-existing privileged user (if one exists), and
         only report SYSTEM otherwise.
         * NEWS: Document new behavior

2008-07-19  Corinna Vinschen  <...>

         * csih.sh (csih_account_has_necessary_privileges): Don't
         explicitely test for SeDenyXXX rights, nor for
         SeIncreaseQuotaPrivilege.
         (csih_create_privileged_user): Drop setting
         SeDenyInteractiveLogonRight and SeIncreaseQuotaPrivilege.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/