This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1


Corinna Vinschen wrote:
> On Aug 20 12:35, Charles Wilson wrote:
>>      csih_make_dir "${SYSCONFDIR}"
>> -
>> +    chmod 755 "${LOCALSTATEDIR}/etc" || /bin/true
>> +
> 
> I guess that should have been
> 
>        chmod 755 "${SYSCONFDIR}" || /bin/true
> 

Err, yeah...

> I got two other problems:
> 
>   *** Query: Should privilege separation be used? (yes/no) yes
>   *** Warning: Something is wrong: sshd is in /etc/passwd,
>   *** Warning: but Windows does not know anything about sshd.
>   *** Warning: Perhaps sshd is a pre-existing domain account.
>   *** Warning: Continuing, but subsequent actions in this script may fail.

This is the FIXME I mentioned:
# FIXME: the following may be okay, and we may want to return success
# below if either *in_passwd or *in_user, rather than requiring both
# Solve this after the next round of testing.

e.g. This is one of the things I wanted to address before 0.1.8.

>   *** Warning: Couldn't create user 'sshd'!
>   *** Warning: Privilege separation set to 'no' again!
>   *** Warning: Check your /etc/sshd_config file!
> 
> That's a bit harsh.  If the unprivileged user exists in /etc/passwd, 
> let's use it.  Even if you print the warning, it doesn't make sense to
> return false from csih_create_unprivileged_user() in this case, thus
> resulting in a failing function in the parent script.

Ok.

>   *** Info: This script plans to use 'cyg_server'.
>   *** Info: 'cyg_server' will only be used by registered services.
>   *** Query: Do you want to use a different name? (yes/no) no
>   *** Warning: Adding user 'cyg_server' to local group 'Administrators' failed!
>   *** Warning: Please add 'cyg_server' to local group 'Administrators' before
>   *** Warning: starting any of the services which depend upon this user!
>   mkpasswd (445): [2221] The user name could not be found.
>   *** ERROR: There was a serious problem creating a privileged user.
>   *** Query: Do you want to proceed anyway?
> 
> Of course, since cyg_server is a domain account, it's not possible to
> add it to the local admins group.  In fact, since cyg_server is a Domain
> Admin account, and the Domain Admin group in turn is member of the
> Administrators group, cyg_server already is member of Administrators
> group on all domain member machines.
> 
> So, when choosing an account from /etc/passwd, the above step in
> csih_create_privileged_user() should be skipped, together with any
> postprocessing as checking for password expiry.

Ok.

> In the long run, it would be cool if the script would be domain aware,
> of course, but there might be some tweaking of tools necessary before
> we can do that.

Yes, but I'm afraid I will be completely at the mercy of PTC for that,
as I have no access to a domain server.

> Other than that, I think it looks good now.  I attached a patch to
> accomplish the above.

I've applied a variant of your patch. Main difference:

Rather than this:
-    [ "x${unpriv_user_in_passwd}" = "xyes" -a "x${unpriv_user_in_sam}"
= "xyes" ] && return 0
+    [ "x${unpriv_user_in_passwd}" = "xyes" -o "x${unpriv_user_in_sam}"
= "xyes" ] && return 0


I did this:
+    [ "x${unpriv_user_in_passwd}" = "xyes" ] && return 0

(a) if it was already in passwd, we want to return 0
(b) else if it was already in SAM, we've added it to passwd and set this
variable.
(c) else if it didn't exist at all, we've created the user AND added it
to passwd, and set this variable.

Basically, by this point a valid user ought to be in /etc/passwd. If
not, THAT is the error.

I'll roll 0.1.8 momentarily. (Hoping no brown-bags...)

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]