public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
From: Houder <houder@xs4all.nl>
To: cygwin@cygwin.com
Subject: Installing sshd on W7 reveals errors in CSIH_SCRIPT
Date: Fri, 26 May 2017 19:38:00 -0000	[thread overview]
Message-ID: <c50589c74b974315dd7756109e270c74@xs4all.nl> (raw)

Hi,

Installing sshd on W7 reveals errors in CSIH_SCRIPT ...

CSIH_SCRIPT = /usr/share/csih/cygwin-service-installation-helper.sh

Just now I installed the sshd daemon on my W7 (64-bits Cygwin); I am 
still
using /etc/{passwd,group} as the "database" (i.e. NOT Windows SAM).

Invocation of /usr/bin/ssh-host-config (in an elevated shell) 
genenerated
the following TWO warnings:

   = 1st warning =
passwd: unknown user cyg_server
*** Warning: Setting password expiry for user 'cyg_server' failed!
*** Warning: Please check that password never expires or set it to your 
needs.
   = 2nd warning =
*** Warning: Expected privileged user 'cyg_server' does not exist.
*** Warning: Defaulting to 'SYSTEM' <===== no what I had in mind!

-----

ssh-host-config sources CSIH-SCRIPT

The function if interest in ssh-host-config is: install_service()

install_service() # skeleton of function as executed in my case
   csih_create_privileged_user
   csih_service_should_run_as

# ======================================================================
# Action!
# ======================================================================
... lot of statements
install_service || let warning_cnt+=$? # almost at bottom of file

-----

So the functions of interest in CSIH-SCRIPT are:

  - csih_create_privileged_user
  - csih_service_should_run_as

Near the bottom of csih_create_privileged_use(), "cyg_server" (the 
privileged
user) is ADDED to /etc/passwd ... too late and using the wrong 
statement.

Too late, because the privileged user ("cyg_server") should already have 
been
added near the beginning of this function ...

  - that is why the 1st warning is issued (from 
csih_create_privileged_user() )
  - and because of the wrong statement, "cyg_server" is NOT added to 
/etc/passwd

The 2nd warning is generated from csih_service_should_run_as() for the 
same
reason ("cyg_server" missing from /etc/passwd).
As a side-effect, the sshd service will be created using the "SYSTEM" 
account
i.s.o. "cyg_server" account -- not what was intended!

BTW, the comment at the top of csih_use_file_etc() is WRONG: it should 
read:

# ======================================================================
# Routine: csih_use_file_etc passwd|group
...
#   Returns 1 if files shall be used, 0 otherwise.
# ======================================================================

Regards,

Henri

=
= Skeleton of both functions as executed in my case
=

1.
csih_create_privileged_user() # in case user cyg_server must be created

  # privileged user ("cyg_server") already present?
   csih_privileged_account_exists "$csih_PRIVILEGED_USERNAME"

   # No, it is NOT! Create user ...
   csih_call_winsys32 net user "${csih_PRIVILEGED_USERWINNAME}"

   # make the passwd of the privileged user never expire ...
   if ! passwd -e "${csih_PRIVILEGED_USERNAME}"
   then
    ... WARNING: Setting password expiry for user "cyg_server" failed!
   fi

# Hold on, has user already been added to /etc/passwd (if files is 
preferred
# as the "database")? No, the user has NOT been added yet!
=====> This is why Henri gets his 1st warning ...
=====> ... and why he HAD to add user "cyg_server" to /etc/passwd
=====> ... and has to change the service
            (no, not the "SYSTEM" account, but the "cyg_server" account!)

... a lot more statements

# TOO LATE and using the WRONG variable name!
   # add cyg_server to /etc/passwd ... if and only if  files are used as 
database
   if csih_use_file_etc passwd # yes, Henri uses files as the "database"
   then
# HUH?
     /usr/bin/mkpasswd -l -u "${username}" >> "${SYSCONFDIR}/passwd"
# I believe the statement should have read: i.e. WRONG variable used
     /usr/bin/mkpasswd -l -u "${{csih_PRIVILEGED_USERNAME}" >> 
"${SYSCONFDIR}/passwd"
   fi

2.
csih_service_should_run_as()

... a lot of statements

   if csih_privileged_account_exists "$csih_PRIVILEGED_USERNAME" 1>&2
   then
     # it already existed before this script was launched (comment by 
Corinna)
     echo "$csih_PRIVILEGED_USERNAME"
     return
   elif /usr/bin/getent passwd "${csih_PRIVILEGED_USERNAME}"
   then
     ... ok
   else
     ... Warning: Expected privileged user "cyg_server" does not exist
     echo "SYSTEM" # meaning service will use the SYSTEM account (and not 
the
                   # cyg_server account) -- which is NOT was intended!
   fi

=====

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

             reply	other threads:[~2017-05-26 19:35 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-26 19:38 Houder [this message]
2017-05-27 11:35 ` Houder
2017-05-27 15:55 ` Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master Houder
2017-05-28 13:46   ` Houder
2017-06-07  9:15   ` Corinna Vinschen
2017-06-07 11:58     ` Houder
2017-06-07 14:35       ` Corinna Vinschen
2017-06-07 18:17         ` Houder
2017-06-07 18:56           ` Corinna Vinschen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c50589c74b974315dd7756109e270c74@xs4all.nl \
    --to=houder@xs4all.nl \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).