This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])


Corinna Vinschen wrote:
No, the above lines are checking for the passwd entry for the
administrators group.   S-1-5-32-544 is the SID of that group.
The SID for the Administrator user is S-1-5-21-X-Y-Z-500.

D'oh. Right.


Now, about csih_check_access() -- without exact knowledge of csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then the whole csih_check_access() test can't be computed.

If you make those GID/UID vars "optional" (e.g. not a failure if missing), and then skip the relevant tests in csih_check_access, you might as well just abandon the test entirely. Is that what we want to do? Never bother to check for SYSTEM/Administrator access to the specified files?

e.g.
  /var/run
  /var/log
  /var/empty

Somehow that doesn't seem right.

Well, hmm. In theory, admins have backup/restore rights anyway. However, I was just thinking that csih should get rid of points of failure which are not entirely necessary, like the checks for denied user rights. If you think the test is necessary, just stick to it.

Well, part of the purpose of the foo-config scripts is to diagnose -- if the foo-config script succeeds without error, then one would expect that the installed service will, in fact, operate correctly. It's much worse to have a user run ssh-host-config which /apparently/ succeeds, only to have the service fail to start or operate correctly.


So, I think /some/ version of this test should remain. However, if the Administrators GROUP is not present in the /etc/passwd file -- that's not a failure, so long as the Administrator and/or SYSTEM have the desired access to the file (as well as the file's owner).

So, I can see csih_get_system_and_admins_ids() reporting success if it finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing.

Then, csih_check_access (and all other users of ADMIN-UID) would special-case against empty.

We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in both /etc/group and /etc/passwd, right?

--
Chuck


-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]