This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 7 Aug 2008 18:42:41 +0200
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
References: <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm>
Reply-to: cygwin at cygwin dot com

On Aug  7 12:19, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Well, hmm.  In theory, admins have backup/restore rights anyway.
>> However, I was just thinking that csih should get rid of points of
>> failure which are not entirely necessary, like the checks for denied
>> user rights.  If you think the test is necessary, just stick to it.
>
> Well, part of the purpose of the foo-config scripts is to diagnose -- if 
> the foo-config script succeeds without error, then one would expect that 
> the installed service will, in fact, operate correctly.  It's much worse to 
> have a user run ssh-host-config which /apparently/ succeeds, only to have 
> the service fail to start or operate correctly.
>
> So, I think /some/ version of this test should remain. However, if the 
> Administrators GROUP is not present in the /etc/passwd file -- that's not a 
> failure, so long as the Administrator and/or SYSTEM have the desired access 
> to the file (as well as the file's owner).
>
> So, I can see csih_get_system_and_admins_ids() reporting success if it 
> finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating 
> ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing.
>
> Then, csih_check_access (and all other users of ADMIN-UID) would 
> special-case against empty.
>
> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in 
> both /etc/group and /etc/passwd, right?

Yes.  I'm just wondering if we shouldn't check for the Admins group
only.  The token of the SYSTEM user always contains the Admins group and
the cyg_server (or whatever the name is) user is always (and should
always) be created as member of the admins group, too.  So, if I didn't
miss anything important, the check could be reduced to checking for the
admins group permissions.  Does that make sense?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson

References:
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]