This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Minires truncates host names

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Fri, 18 Jul 2014 10:17:23 +0200
Subject: Re: Minires truncates host names
Authentication-results: sourceware.org; auth=none
References: <028c01cf9974$ad507120$07f15360$ at alum dot mit dot edu> <53C8129A dot 1BA76E49 at boland dot nl> <20140717182302 dot GR15332 at calimero dot vinschen dot de> <53C83213 dot 580EEB62 at boland dot nl>
Reply-to: cygwin at cygwin dot com

Hi Daniel,

On Jul 17 22:29, D. Boland wrote:
> Hi Corinna,
> 
> Corinna Vinschen wrote:
> > 
> > On Jul 17 20:14, D. Boland wrote:
> > > Just letting you know how it went with the Resolver (miniedit). The error, pointed
> > > out by you, solved the problem.
> > 
> > Did you read my previous reply?  Do *not* use the minres lib.  Use the
> > Cygwin resolver.  There's no minires lib on 64 bit anymore and the 32
> > bit runtime minres is only maintained for backward compatibility.
> 
> Yes, I read it. I just don't like to swap my current Cygwin DLL. I will test it
> proper on a fresh Cygwin system on another computer. When will the fix be released?

With 1.7.31 in the next few days.  But there are still the developer
snapshots for testing.  Here's the deal: If you test a developer
snapshot you can make sure that the next release will fix the problem.
If you don't test the snapshot you won't have that privilege and the
functionality will still be broken up to the next release.  Simple.

> > > Now I have an even bigger problem. Sendmail works perfectly. But only on my XP
> > > machine. As of Windows Vista, MS decided to remove certain privileges from the
> > > SYSTEM user.
> > 
> > You might have to read the user's manual in the long run ;)
> > 
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> 
> I did read it. Very well written, I might add. It looked very complicated at first
> but when I read it, it made my problem very clear.
> 
> > Other services are set up so that they use another account called
> > cyg_server.  See, for instance, how ssh-host-config helps an admin to
> > set this up.  The csih package helper script is lending you a hand when
> > creating such service installer scripts.  See also
> > 
> > https://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
> 
> I must say, I am not a big fan of this csih thang. It totally obfuscates what I am
> doing with my Cygwin server as an administrator. Also, it creates the "cyg_server"
> user, which just mimicks what the SYSTEM user used to do. Maybe it should have been
> called "root"?

SYSTEM or, FWIW, cyg_server are not root.  Nor are the users in the
admin group.  The privilege concept in Windows is simply different and
trying to tweak it into shape is bound to fail one way or the other.
That's why we don't pretend any of the user accounts is actually root.

> The SYSTEM user was/is also regarded as the root user by other softwares from the
> Unix world. It's in the procmail source code (#define ROOT_uid 18).

That's a Cygwin-specific patch to change tests testing for uid 0
to tests for uid 18 by default.  But that doesn't matter.

> I searched for MS's position on this issue. I found this article:
> 
> http://technet.microsoft.com/en-us/library/bb457125.aspx
> 
> In the section about the SeTcbPrivilege, which the "cyg_server" user needs to log in
> as another user

Stop right here.  The problem is *not* SeTcbPrivilege.  SeTcbPrivilege
is only one side of the coin.  The other side is SeCreateTokenPrivilege.
Starting with Windows 2003, all services started under the SYSTEM
account get an access token with the SeCreateTokenPrivilege explicitely
removed.  That means method 1 from the user guide
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1)
which at one point in the past was the *only* method, won't work.
Given that method 2 and 3 require specific administrator intervention,
method 1 is still the fallback, and it's probably in use on many
machines of users who don't want to install an LSA auth package or
to store the password in the registry.

> I cannot believe that MS just disabled this privilege in the newer Windows versions,

They didn't.  They removed SeCreateTokenPrivilege.

> without providing an alternative. So now I'm trying the LocalService user...

Good luck.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpovFmIrvZTZ.pgp
Description: PGP signature

Follow-Ups:
- Re: Minires truncates host names
  - From: Corinna Vinschen
- Re: Minires truncates host names
  - From: D. Boland

References:
- RE: Minires truncates host names
  - From: Pierre A. Humblet
- Re: Minires truncates host names
  - From: D. Boland
- Re: Minires truncates host names
  - From: Corinna Vinschen
- Re: Minires truncates host names
  - From: D. Boland

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]