This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])


On Aug  7 11:25, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Hi Chuck,
>> On Aug  4 21:31, Charles Wilson wrote:
>>> Corinna Vinschen wrote:
>>>> Btw., there's a test for the administrators group in /etc/passwd.
>
>
>>> I don't see this. I see testing /etc/passwd for the (local) Administrator 
>>> USER, and testing /etc/group for the Administrators GROUP, but not 
>>> /etc/passwd <-> Administrators GROUP.
>>>
>>> More info please?
>> Function csih_get_system_and_admins_ids(), last test:
>>   csih_ADMINSUID=$(sed -ne 
>> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' 
>> /etc/passwd)
>>   csih_SYSTEMUID=$(sed -ne 
>> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' 
>> /etc/passwd)
>>   if [ -z "$csih_ADMINSUID" -o -z "$csih_SYSTEMUID" ]
>>   then
>>     [...]
>> The function csih_get_system_and_admins_ids is called by
>> csih_check_access() and requires the above test being successful.
>
> Ah -- those lines are testing /etc/passwd for the Administrator USER. You 
> originally said 'administrators group'. Hence my confusion.

No, the above lines are checking for the passwd entry for the
administrators group.   S-1-5-32-544 is the SID of that group.
The SID for the Administrator user is S-1-5-21-X-Y-Z-500.

> Now, about csih_check_access() -- without exact knowledge of 
> csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then 
> the whole csih_check_access() test can't be computed.
>
> If you make those GID/UID vars "optional" (e.g. not a failure if missing), 
> and then skip the relevant tests in csih_check_access, you might as well 
> just abandon the test entirely.  Is that what we want to do?  Never bother 
> to check for SYSTEM/Administrator access to the specified files?
>
> e.g.
>   /var/run
>   /var/log
>   /var/empty
>
> Somehow that doesn't seem right.

Well, hmm.  In theory, admins have backup/restore rights anyway.
However, I was just thinking that csih should get rid of points of
failure which are not entirely necessary, like the checks for denied
user rights.  If you think the test is necessary, just stick to it.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]