This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)]


Charles Wilson wrote:
Corinna Vinschen wrote:
We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in both /etc/group and /etc/passwd, right?

Yes. I'm just wondering if we shouldn't check for the Admins group only. The token of the SYSTEM user always contains the Admins group and the cyg_server (or whatever the name is) user is always (and should always) be created as member of the admins group, too. So, if I didn't miss anything important, the check could be reduced to checking for the admins group permissions. Does that make sense?

It makes sense -- if the following assertion is true for NT/2k/XP, as well as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7:


Admins group access to a file (-...[rwx]... as specified by $2 if group ownership of the file is Administrators, or a sufficient group token in the extended ACLs is present as determined by getfacl) is necessary and sufficient for the SYSTEM user (and/or the special privileged user) to access the file, regardless of the file's actual owner.

Well, the changes are piling up in this release, so all I implemented with regards to this specific issue was


(1) csih_get_system_and_admins_ids() doesn't fail if it can't find the Administrators group entry in /etc/passwd
(2) csih_check_access() skips checking if the file is owned by the Adminstrators group when csih_ADMINSUID is empty.


We can address the finer points of this issue -- and probably others -- in 0.1.7.

I've uploaded csih-0.1.6 as a test release, but I do not imagine it will survive to curr: without changes. (e.g. it is most likely broken. I hope not, but...my testing environment is limited.) Please test and send patches for a better 0.1.7. Also see FIXME in csih_create_unprivileged_user.


Here's the change log and news:


NEWS

    * more permissions tweaks for privileged user:
    See http://cygwin.com/ml/cygwin/2008-06/msg00453.html
    Users of earlier versions of csih may need to manually
    adjust their existing privileged users. Again:
        editrights -r SeDenyNetworkLogonRight -u cyg_server
        editrights -r SeDenyInteractiveLogonRight -u cyg_server
        editrights -r SeIncreaseQuotaPrivilege -u cyg_server

    * Even on NT/2k/XP, prefer to use "privileged" user (cyg_server,
    sshd_server, cron_server, etc) if a suitable such user already
    exists.  If not, then for these older OS's, fall back to SYSTEM.
    As always, by setting csih_FORCE_PRIVILEGED_USER -- usually done
    by the calling script via a command line argument, such as
        /usr/bin/iu-config -privileged
    the user can force NT/2k/XP to behave as Vista or Server2008: a
    privileged user is required, and if one does not exist it will
    be created.

    * Also accept privileged accounts that exist only in /etc/passwd and
    are not present in the local SAM.  That is, accept pre-existing
    privileged domain accounts.

    * New utility program: getVolInfo
    http://cygwin.com/ml/cygwin/2007-08/msg00040.html

    * New function: csih_path_supports_acls() returns 0 (success)
    if the specified path is located on a volume that supports
    ACLs. Uses getVolInfo. Behavior can be modified, when getVolInfo
    is incorrect, by setting user-accessible variables:
        csih_WIN32_VOLS_WITH_ACLS
        csih_WIN32_VOLS_WITHOUT_ACLS
    which each may contain ;-separated lists of win32 paths,
    specifying volumes in the relevant category.

    * It is no longer a fatal error if, when checking the
    permissions or access rights of a file or directory, the
    target is located on a volume that does not support ACLs.
    A warning is issued, but operation continues.

    * The Administrators group is no longer required to be in
    /etc/passwd. However, it is still required in /etc/group.
    SYSTEM is (still) required in both /etc/passwd and /etc/group.

ChangeLog

2008-08-07 Charles Wilson <...>

        Add getVolInfo utility program. Use it to avoid
        checking permissions on volumes that do not support ACLs.

        * csih.sh (main): update documentation.
        (csih_WIN32_VOLS_WITH_ACLS): new client-accessible var.
        (csih_WIN32_VOLS_WITHOUT_ACLS): ditto.
        (csih_path_supports_acls): new function.
        (_csih_convert_w32vol_to_shell_pattern): new function.
        (_csih_path_in_volumelist_core): new function.
        (_csih_path_in_volumelist): new function.
        (csih_get_system_and_admins_ids): update comments.
        No longer an error if Administrators group is not found
        in /etc/passwd.
        (_csih_warning_for_win9x_perms): new function.
        (_csih_warning_for_missing_ACL_support): new function.
        (csih_check_dir_perms): bail out early (returning success
        but with a warning) if on OS older than windows NT, or the
        specified file/dir is on a volume that does not support ACLs.
        (csih_check_access): ditto. Also, improve comments. If
        csih_ADMINSUID is empty, gracefully skip checking if file/dir
        is owned by the Administrators group.
        * cygwin/Makefile: new file.
        * cygwin/getVolInfo.c: new file.
        * COPYING: update documentation.
        * NEWS: update documentation.

2008-08-04 Charles Wilson <...>

        Accept pre-existing privileged domain accounts.
        Default to privileged account on NT/2k/XP if exist.

        * csih.sh (csih_privileged_accounts): Always look
        for privileged users if NT or better. Look in both
        /etc/passwd and local SAM.
        (csih_privileged_account_exists): Update documentation
        to reflect behavior change inherited from above.
        (csih_select_privileged_username): Attempt to return
        a username even on NT/2k/XP (but default to empty if
        no pre-existing privileged user on those OS's). Be more
        specific in the informational messages emitted. Look
        in both /etc/passwd and local SAM for accounts, if user
        specified one we don't know about already.
        (csih_create_privileged_user): Improve comments.
        (csih_create_unprivileged_user): Improve comments.
        See FIXME! (remove this line from ChangeLog when resolved)
        (csih_service_should_run_as): Improve comments. Check
        both /etc/passwd and local SAM if "answer" is an account
        that did not exist when script was launched. For NT/2k/XP,
        default to pre-existing privileged user (if one exists), and
        only report SYSTEM otherwise.
        * NEWS: Document new behavior

2008-07-19 Corinna Vinschen <...>

        * csih.sh (csih_account_has_necessary_privileges): Don't
        explicitely test for SeDenyXXX rights, nor for
        SeIncreaseQuotaPrivilege.
        (csih_create_privileged_user): Drop setting
        SeDenyInteractiveLogonRight and SeIncreaseQuotaPrivilege.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]