This is the mail archive of the
mailing list for the Cygwin project.
[RFC] Globally creating a user and a group "root"
- From: Corinna Vinschen <vinschen at redhat dot com>
- To: cygwin-apps at cygwin dot com
- Date: Tue, 11 Nov 2003 13:46:48 +0100
- Subject: [RFC] Globally creating a user and a group "root"
- Reply-to: cygwin-apps at cygwin dot com
Hi to all,
I'm sure you already saw this sort of discussion arising on the
Cygwin list, which basically says, "I can't run sshd/cron/whatever"
as service on 2003 Server".
The reason is that 2003 drops the CreateToken privilege from all services
running under LocalSystem account, hence the inability to switch user
context without password.
The week before I've created a solution for sshd, namely an improved
ssh-host-config script, which creates a user called "sshd_server" with
the appropriate privileges to run sshd under.
As it turned out fairly quickly now, this was a short-sighted approach.
I forgot entirely that other services will suffer from the same problem.
So, what we need is a general approach.
My idea is basically the following:
- On all NT systems, create a user account called "root" which is
member of the administrators group.
- Always add "root" with uid 0 to /etc/passwd.
- Always add a "root" entry with gid 0 to /etc/group, which on NT
systems has the SID of the administrators group.
The advantage of this is that new packages could expect having a
root account and a root group with uid and gid 0. So account specific
rules in a lot of U*X-centric packages could mostly stay as they are
as a first approximation.
How could that be implemented?
- The default postinstall creates always the "root" group entry in
/etc/group. It also creates a "root" user entry if a user "root"
exists (that's done by mkpasswd already). But it also creates a
"root" user in /etc/passwd if it not exists in the NT SAM, as a
placeholder with a hint in the password field "DON'T TOUCH".
- Add a script to the base-files or base-passwd package, which creates
the "root" user according to the above rules. This script could be
called, say, /usr/sbin/create-root. How it could work can be seen
- From service installation scripts (like ssh-host-config), call that
script instead of doing it by itself.
- All services should (or may) expect to run under that "root" account
with uid and gid 0.
Of course, this would require all maintainers of packages, which provide
a service, to change their package accordingly.
Comments? If we agree to do as above (or similar), I would gladly
appreciate, if I wouldn't have to do it alone.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:firstname.lastname@example.org
Red Hat, Inc.