[ITP] postfix 2.11.3
Corinna Vinschen
corinna-cygwin@cygwin.com
Wed Nov 19 16:39:00 GMT 2014
On Nov 17 16:33, Corinna Vinschen wrote:
> On Nov 17 15:50, Christian Franke wrote:
> > Therefore some csih_create_local_group function would be useful.
>
> Sure, but it doesn't exist right now.
>
> > >> The (files-only|non-domain|domain) complexity should be handled in csih,
> > >> IMO:
> > > Uhm... AFAICS it is. After checking or creating a user, the new incarnation
> > > of csih will have set three variables, either
> > >
> > > csih_PRIVILEGED_USERNAME
> > > csih_PRIVILEGED_USERWINNAME
> > > csih_PRIVILEGED_USERDOMAIN
> > >
> > > or
> > >
> > > csih_UNPRIVILEGED_USERNAME
> > > csih_UNPRIVILEGED_USERWINNAME
> > > csih_UNPRIVILEGED_USERDOMAIN
> > >
> > > so the calling script can just use the new name in whatever variation
> > > required.
> >
> > Sounds good.
> >
> > How will the username input parameter be interpreted?
> > Cygwin name, Windows name or depending on an option?
>
> Cygwin name in the first place, unless the account doesn't exist.
> In that case the mapping doesn't exist either, so it will be treated
> as Windows name and the mapping will be generated on the fly.
Would you mind helping to test the new csih helper script? I tested
most of it I hope, but there are so many nooks and crannies, I'm sure
I'm missing something.
I attached the current incarnation of the script, as well as the patch
for further inspection.
As a reward for your help, the new script also comes with a
csih_create_local_group function which sets the following global
variables:
csih_LOCAL_GROUPNAME
csih_LOCAL_GROUPWINNAME
csih_LOCAL_GROUPDOMAIN
:}
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cygwin-service-installation-helper.sh
Type: application/x-sh
Size: 121891 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20141119/6a792ab5/attachment.sh>
-------------- next part --------------
Index: cygwin-service-installation-helper.sh
===================================================================
RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v
retrieving revision 1.31
diff -u -p -r1.31 cygwin-service-installation-helper.sh
--- cygwin-service-installation-helper.sh 9 Apr 2013 05:35:47 -0000 1.31
+++ cygwin-service-installation-helper.sh 19 Nov 2014 16:38:03 -0000
@@ -1,7 +1,7 @@
# -- #!/bin/bash --
# cygwin-service-installation-helper.sh
#
-# Copyright (c) 2010-2013 Charles S. Wilson, Corinna Vinschen,
+# Copyright (c) 2010-2014 Charles S. Wilson, Corinna Vinschen,
# Pierre Humblett, and others listed in
# AUTHORS
#
@@ -59,12 +59,18 @@
# csih_is_vista
# csih_is_windows7
# csih_is_windows8
+# csih_is_windows8_1
+# csih_is_windows10
# csih_is_exactly_vista
# csih_is_exactly_server2008
# csih_is_exactly_windows7
# csih_is_exactly_windows8
+# csih_is_exactly_windows8_1
+# csih_is_exactly_windows10
# csih_is_exactly_server2008r2
# csih_is_exactly_server2012
+# csih_is_exactly_server2012r2
+# csih_is_exactly_server2014
# csih_version_ge
# csih_version_le
# csih_version_gt
@@ -82,6 +88,7 @@
# csih_make_dir
# csih_get_system_and_admins_ids
# csih_check_passwd_and_group
+# csih_use_file_etc
# csih_check_user
# csih_check_dir_perms
# csih_check_access
@@ -92,6 +99,7 @@
# csih_select_privileged_username
# csih_create_privileged_user
# csih_create_unprivileged_user
+# csih_create_local_group
# csih_service_should_run_as
# csih_disable_color
# csih_enable_color
@@ -182,10 +190,37 @@
# csih_service_should_run_as) but may be set explicitly by foo-config
# foo-config should treat as read-only after first call to any csih_*
# function
+# csih_PRIVILEGED_USERWINNAME
+# Set by csih_select_privileged_username. While csih_PRIVILEGED_USERNAME
+# is the Cygwin username, csih_PRIVILEGED_USERWINNAME is the Windows
+# username. This can be used in conjunction with...
+# csih_PRIVILEGED_USERDOMAIN
+# Set by csih_select_privileged_username. This is the Windows domain or,
+# on non-domain machines, the machine name.
# csih_PRIVILEGED_PASSWORD
# Set by csih_create_privileged_user
# foo-config treat as read-only. To "prime" the value, pass as first argument
# when calling csih_create_privileged_user
+# csih_UNPRIVILEGED_USERNAME
+# Set by calling csih_create_unprivileged_user.
+# csih_UNPRIVILEGED_USERWINNAME
+# Set by calling csih_create_unprivileged_user.
+# While csih_UNPRIVILEGED_USERNAME is the Cygwin username,
+# csih_UNPRIVILEGED_USERWINNAME is the Windows username. This can be
+# used in conjunction with...
+# csih_UNPRIVILEGED_USERDOMAIN
+# Set by calling csih_create_unprivileged_user. This is the Windows
+# domain or, on non-domain machines, the machine name.
+# csih_LOCAL_GROUPNAME
+# Set by calling csih_create_local_group.
+# csih_LOCAL_GROUPWINNAME
+# Set by calling csih_create_local_group.
+# While csih_LOCAL_GROUPNAME is the Cygwin username,
+# csih_LOCAL_GROUPWINNAME is the Windows username. This can be
+# used in conjunction with...
+# csih_LOCAL_GROUPDOMAIN
+# Set by calling csih_create_local_group. This is the Windows
+# domain or, on non-domain machines, the machine name.
# csih_WIN32_VOLS_WITH_ACLS
# a ;-separated list of windows volumes that are guaranteed to support
# ACLS, even if the getVolInfo program doesn't think so. Used to override
@@ -207,7 +242,7 @@
# Initial setup, default values, etc. PART 1
# ======================================================================
csih_progname=$0
-csih_VERSION=0.9.7
+csih_VERSION=0.9.8
readonly csih_progname csih_VERSION
csih_auto_answer=""
@@ -220,7 +255,15 @@ csih_ADMINSUID=
csih_SYSTEMGID=
csih_SYSTEMUID=
csih_PRIVILEGED_USERNAME=
+csih_PRIVILEGED_USERWINNAME=
+csih_PRIVILEGED_USERDOMAIN=
csih_PRIVILEGED_PASSWORD=
+csih_UNPRIVILEGED_USERNAME=
+csih_UNPRIVILEGED_USERWINNAME=
+csih_UNPRIVILEGED_USERDOMAIN=
+csih_LOCAL_GROUPNAME=
+csih_LOCAL_GROUPWINNAME=
+csih_LOCAL_GROUPDOMAIN=
csih_helper_stdout=
csih_helper_stderr=
csih_WIN32_VOLS_WITH_ACLS=
@@ -253,8 +296,18 @@ _csih_version_parse_pkg_micro=
_csih_w32vol_as_shell_pattern=
_csih_w32vol_as_shell_pattern_trailing_slash=
-_csih_well_known_privileged_accounts="cyg_server sshd_server cron_server"
-_csih_well_known_privileged_accounts_quoted="'cyg_server' 'sshd_server' 'cron_server'"
+_csih_well_known_privileged_accounts="cyg_server
+ sshd_server
+ cron_server
+ $COMPUTERNAME+cyg_server
+ $COMPUTERNAME+sshd_server
+ $COMPUTERNAME+cron_server"
+_csih_well_known_privileged_accounts_quoted="'cyg_server'
+ 'sshd_server'
+ 'cron_server'
+ '$COMPUTERNAME+cyg_server'
+ '$COMPUTERNAME+sshd_server'
+ '$COMPUTERNAME+cron_server'"
readonly _csih_well_known_privileged_accounts _csih_well_known_privileged_accounts_quoted
_csih_ERROR_STR_COLOR="\e[1;31m*** ERROR:\e[0;0m"
@@ -593,6 +646,7 @@ _csih_sanity_check()
/usr/bin/cygpath cygwin
/usr/bin/dirname coreutils
/usr/bin/expr coreutils
+ /usr/bin/getent getent
/usr/bin/getfacl cygwin
/usr/bin/grep grep
/usr/bin/id coreutils
@@ -677,30 +731,30 @@ _csih_sanity_check
csih_progname_base=$(/usr/bin/basename -- $csih_progname)
readonly csih_progname_base
_csih_sys="$(/usr/bin/uname)"
-_csih_nt=$(/usr/bin/expr "${_csih_sys}" : "CYGWIN_NT")
-_csih_2k=0
_csih_xp=0
_csih_nt2003=0
_csih_vista=0
_csih_windows7=0
_csih_windows8=0
+_csih_windows8_1=0
+_csih_windows10=0
_csih_exactly_server2008=0
_csih_exactly_server2008r2=0
_csih_exactly_server2012=0
_csih_exactly_vista=0
_csih_exactly_windows7=0
_csih_exactly_windows8=0
+_csih_exactly_windows8_1=0
+_csih_exactly_windows10=0
# If running on NT, check if running under XP(64), 2003 Server, or later
-if [ ${_csih_nt} -gt 0 ]
-then
- _csih_2k=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 5.0 ) ? 1 : 0;}')
- _csih_xp=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 5.1 ) ? 1 : 0;}')
- _csih_nt2003=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}') # also true for XP(64)
- _csih_vista=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.0 ) ? 1 : 0;}')
- _csih_windows7=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.1 ) ? 1 : 0;}')
- _csih_windows8=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.2 ) ? 1 : 0;}')
-fi
-readonly _csih_sys _csih_nt _csih_2k _csih_xp _csih_nt2003 _csih_vista _csih_windows7 _csih_windows8
+_csih_xp=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 5.1 ) ? 1 : 0;}')
+_csih_nt2003=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}') # also true for XP(64)
+_csih_vista=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.0 ) ? 1 : 0;}')
+_csih_windows7=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.1 ) ? 1 : 0;}')
+_csih_windows8=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.2 ) ? 1 : 0;}')
+_csih_windows8_1=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.3 ) ? 1 : 0;}')
+_csih_windows10=$(/usr/bin/uname | /usr/bin/awk -F- '{print ( $2 >= 6.4 ) ? 1 : 0;}')
+readonly _csih_sys _csih_xp _csih_nt2003 _csih_vista _csih_windows7 _csih_windows8 _csih_windows8_1 _csih_windows10
_csih_cygver=$(b=$(/usr/bin/uname -r) && echo "${b%%(*}")
_csih_cygver_is_oneseven=$(echo ${_csih_cygver} | /usr/bin/awk -F. '{print ( $1 > 1 || ($1 == 1 && $2 >= 7) ) ? 1 : 0;}')
_csih_cygwin_is_64bit=$(/usr/bin/uname -m | grep 'x86_64' >/dev/null && echo 1 || echo 0)
@@ -708,38 +762,35 @@ readonly _csih_cygver _csih_cygver_is_on
# ======================================================================
# Routine: csih_is_nt
-# returns 0 (true) if the system is Windows NT or above
-# returns 1 (false) otherwise
+# returns 0 (true)
# ======================================================================
csih_is_nt()
{
csih_stacktrace "${@}"
$_csih_trace
- test ${_csih_nt} -gt 0
+ return 0
} # === End of csih_is_nt() === #
readonly -f csih_is_nt
# ======================================================================
# Routine: csih_is_2k
-# returns 0 (true) if the system is Windows 2000 or above
-# returns 1 (false) otherwise
+# returns 0 (true)
# ======================================================================
csih_is_2k()
{
csih_stacktrace "${@}"
$_csih_trace
- test ${_csih_2k} -gt 0
+ return 0
} # === End of csih_is_2k() === #
readonly -f csih_is_2k
# ======================================================================
# Routine: csih_is_xp
-# returns 0 (true) if the system is Windows XP or above
-# returns 1 (false) otherwise
+# returns 0 (true)
# ======================================================================
csih_is_xp()
{
csih_stacktrace "${@}"
$_csih_trace
- test ${_csih_xp} -gt 0
+ return 0
} # === End of csih_is_xp() === #
readonly -f csih_is_xp
# ======================================================================
@@ -810,6 +861,32 @@ csih_is_windows8()
} # === End of csih_is_windows8() === #
readonly -f csih_is_windows8
# ======================================================================
+# Routine: csih_is_windows8
+# returns 0 (true) if the system is Windows 8/Windows 8 Server
+# or above.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_windows8_1()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ test ${_csih_windows8_1} -gt 0
+} # === End of csih_is_windows8_1() === #
+readonly -f csih_is_windows8_1
+# ======================================================================
+# Routine: csih_is_windows8
+# returns 0 (true) if the system is Windows 8/Windows 8 Server
+# or above.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_windows10()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ test ${_csih_windows10} -gt 0
+} # === End of csih_is_windows10() === #
+readonly -f csih_is_windows10
+# ======================================================================
# Routine: csih_cygver
# returns the dotted-triple version number of the currently-running
# cygwin dll. Avoids forking uname multiple times.
@@ -910,8 +987,7 @@ csih_is_exactly_server2008r2()
# Routine: csih_is_exactly_windows8
# returns 0 (true) if the system is one of the variants of
# Windows 8 (Home Premium, Professional, etc) but NOT
-# Windows 8 Server or some newer edition (like Windows9, or
-# whatever Microsoft Marketing has decided to call it).
+# Windows 8 Server or some newer edition.
# returns 1 (false) otherwise
# ======================================================================
csih_is_exactly_windows8()
@@ -938,6 +1014,66 @@ csih_is_exactly_server2012()
#NOTE: do not make _csih_exactly_server2012 readonly YET
# ======================================================================
+# Routine: csih_is_exactly_windows8_1
+# returns 0 (true) if the system is one of the variants of
+# Windows 8.1 (Home Premium, Professional, etc) but NOT
+# Windows 8.1 Server or some newer edition.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_exactly_windows8_1()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+e test ${_csih_exactly_windows8_1} -gt 0
+} # === End of csih_is_exactly_windows8_1() === #
+#NOTE: do not make _csih_exactly_windows8_1 readonly YET
+
+# ======================================================================
+# Routine: csih_is_exactly_server2012r2
+# returns 0 (true) if the system is one of the variants of
+# Windows 2012 Server but NOT one of the variants of Windows 8,
+# nor some newer edition.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_exactly_server2012r2()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ test ${_csih_exactly_server2012r2} -gt 0
+} # === End of csih_is_exactly_server2012r2() === #
+#NOTE: do not make _csih_exactly_server2012r2 readonly YET
+
+# ======================================================================
+# Routine: csih_is_exactly_windows10
+# returns 0 (true) if the system is one of the variants of
+# Windows 8 (Home Premium, Professional, etc) but NOT
+# Windows 8 Server or some newer edition.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_exactly_windows10()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ test ${_csih_exactly_windows10} -gt 0
+} # === End of csih_is_exactly_windows10() === #
+#NOTE: do not make _csih_exactly_windows10 readonly YET
+
+# ======================================================================
+# Routine: csih_is_exactly_server2014
+# returns 0 (true) if the system is one of the variants of
+# Windows 2012 Server but NOT one of the variants of Windows 8,
+# nor some newer edition.
+# returns 1 (false) otherwise
+# ======================================================================
+csih_is_exactly_server2014()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ test ${_csih_exactly_server2014} -gt 0
+} # === End of csih_is_exactly_server2014() === #
+#NOTE: do not make _csih_exactly_server2014 readonly YET
+
+# ======================================================================
# Routine: csih_win_product_name
# Allows to cache the result of calling winProductName.
# ======================================================================
@@ -1839,7 +1975,7 @@ readonly -f csih_make_dir
# ======================================================================
# Routine: csih_get_system_and_admins_ids
-# Get the ADMINs ids from /etc/group and /etc/passwd
+# Get the ADMINs ids from user and group account databases
# Returns 0 (true) on success, 1 otherwise.
# SETS GLOBAL VARIABLES:
# csih_ADMINSGID
@@ -1852,47 +1988,40 @@ csih_get_system_and_admins_ids()
csih_stacktrace "${@}"
$_csih_trace
local ret=0
- for fname in ${SYSCONFDIR}/passwd ${SYSCONFDIR}/group
- do
- if /usr/bin/stat -c "%A" "${fname}" | /usr/bin/grep -Eq '^-r..r..r..'
- then
- true
- else
- csih_warning "The file $fname is not readable by all."
- csih_warning "Please run 'chmod +r $fname'."
- ret=1
- fi
- done
-
- [ ! -r /etc/passwd -o ! -r /etc/group ] && return 1;
- # require Administrators group and SYSTEM in /etc/group
- csih_ADMINSGID=$(/usr/bin/sed -ne '/^[^:]*:S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' ${SYSCONFDIR}/group)
- csih_SYSTEMGID=$(/usr/bin/sed -ne '/^[^:]*:S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' ${SYSCONFDIR}/group)
+ # require Administrators group and SYSTEM
+ csih_ADMINSGID="$(/usr/bin/getent -w group S-1-5-32-544)"
+ csih_ADMINSGID="${csih_ADMINSGID#*:}"
+ csih_ADMINSGID="${csih_ADMINSGID%%:*}"
+ csih_SYSTEMGID="$(/usr/bin/getent -w group S-1-5-18)"
+ csih_SYSTEMGID="${csih_SYSTEMGID#*:}"
+ csih_SYSTEMGID="${csih_SYSTEMGID%%:*}"
if [ -z "$csih_ADMINSGID" -o -z "$csih_SYSTEMGID" ]
then
csih_warning "It appears that you do not have entries for the local"
csih_warning "ADMINISTRATORS and/or SYSTEM sids in /etc/group."
csih_warning ""
- csih_warning "Use the 'mkgroup' utility to generate them"
- csih_warning " mkgroup -l > /etc/group"
+ csih_warning "Use the 'mkgroup' utility to generate them or allow \"db\""
+ csih_warning "search of group accounts in /etc/nsswitch.conf"
csih_warning ""
- _csih_warning_for_etc_file group
ret=1;
fi
- # only require SYSTEM in /etc/passwd; warn if either is missing
- csih_ADMINSUID=$(/usr/bin/sed -ne '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' /etc/passwd)
- csih_SYSTEMUID=$(/usr/bin/sed -ne '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' /etc/passwd)
+ # only require SYSTEM passwd entry; warn if either is missing
+ csih_ADMINSUID="$(/usr/bin/getent -w passwd S-1-5-32-544)"
+ csih_ADMINSUID="${csih_ADMINSUID#*:}"
+ csih_ADMINSUID="${csih_ADMINSUID%%:*}"
+ csih_SYSTEMUID="$(/usr/bin/getent -w passwd S-1-5-18)"
+ csih_SYSTEMUID="${csih_SYSTEMUID#*:}"
+ csih_SYSTEMUID="${csih_SYSTEMUID%%:*}"
if [ -z "$csih_ADMINSUID" -o -z "$csih_SYSTEMUID" ]
then
csih_warning "It appears that you do not have an entry for the local"
csih_warning "ADMINISTRATORS (group) and/or SYSTEM sids in /etc/passwd."
csih_warning ""
- csih_warning "Use the 'mkpasswd' utility to generate it"
- csih_warning " mkpasswd -l > /etc/passwd."
+ csih_warning "Use the 'mkpasswd' utility to generate it or allow \"db\""
+ csih_warning "search of passwd accounts in /etc/nsswitch.conf"
csih_warning ""
- _csih_warning_for_etc_file passwd
if [ -z "$csih_SYSTEMUID" ]
then
ret=1
@@ -1905,7 +2034,7 @@ readonly -f csih_get_system_and_admins_i
# ======================================================================
# Routine: csih_check_passwd_and_group
# Check to see whether the user's password ID and group exist in the
-# system /etc/passwd and /etc/group files, respectively.
+# system account databases, respectively.
# Returns 0 (true) on success, 1 otherwise.
# ======================================================================
csih_check_passwd_and_group()
@@ -1913,6 +2042,7 @@ csih_check_passwd_and_group()
csih_stacktrace "${@}"
$_csih_trace
local ret=0
+ # Check for mkpasswd only valid up to Cygwin 1.7.32 */
if [ "$(/usr/bin/id -gn)" = "mkpasswd" ]
then
csih_warning "It appears that you do not have an entry for your user ID"
@@ -1926,23 +2056,9 @@ csih_check_passwd_and_group()
csih_warning ""
_csih_warning_for_etc_file passwd
ret=1
- elif [ -n "$USERDOMAIN" ] && [ -n "$USERNAME" ]
- then
- if ! /usr/bin/grep -E -q -i "^$(/usr/bin/id -un):.*U-${USERDOMAIN}\\\\${USERNAME}" /etc/passwd
- then
- csih_warning "It appears that you do not have an entry for:"
- csih_warning " ${USERDOMAIN}\\${USERNAME}"
- csih_warning "in /etc/passwd."
- csih_warning ""
- csih_warning "Use the 'mkpasswd' utility to generate an entry for"
- csih_warning "your User ID in the password file:"
- csih_warning " mkpasswd -d -u User_ID >> /etc/passwd."
- csih_warning ""
- _csih_warning_for_etc_file passwd
- ret=1
- fi
fi
+ # Check for mkgroup only valid up to Cygwin 1.7.32 */
if [ "$(/usr/bin/id -gn)" = mkgroup ]
then
csih_warning "It appears that you do not have an entry for your group ID"
@@ -1965,24 +2081,16 @@ readonly -f csih_check_passwd_and_group
# ======================================================================
# Routine: csih_check_user
-# Check to see that the specified user exists once in /etc/passwd
+# Check to see that the specified user exists in the user account database
# Returns 0 (true) if so, 1 otherwise.
# ======================================================================
csih_check_user()
{
csih_stacktrace "${@}"
$_csih_trace
- local count=$(/usr/bin/grep -ic "^$1:" /etc/passwd)
- if [ $count = 0 ]
- then
- csih_warning "User $1 does not appear in /etc/passwd."
- return 1;
- fi
- if [ $count -gt 1 ]
+ if ! /usr/bin/getent passwd "$1" >/dev/null 2>&1
then
- csih_warning "User $1 appears $count times in /etc/passwd."
- csih_warning "This may confuse the system."
- csih_warning "Edit /etc/passwd and assign unique user ids."
+ csih_warning "User $1 does not appear in the user account database."
return 1;
fi
return 0
@@ -2182,14 +2290,12 @@ readonly -f csih_check_basic_mounts
# ======================================================================
# Routine: csih_privileged_accounts [-u username]
# Determines the names of all known "privileged" users already created
-# on this system, or known to this system (e.g. domain users
-# represented in /etc/passwd but not in the local SAM). Checks for
-# cyg_server, sshd_server, cron_server
-# as well as 'username' passed as an argument to the -u option, if
-# specified. The -u username will preferred over the default names,
-# but of those default names, cyg_server is preferred. However, it
-# is taken on faith that if 'username' exists, it is, in fact,
-# privileged and not an "ordinary" user.
+# on this system, or known to this system (e.g. domain users)
+# Checks for cyg_server, sshd_server, cron_server as well as 'username'
+# passed as an argument to the -u option, if specified. The -u username
+# will be preferred over the default names, but of those default names,
+# cyg_server is preferred. However, it is taken on faith that if
+# 'username' exists, it is, in fact, privileged and not an "ordinary" user.
# Avoids rechecking if already set.
#
# SETS GLOBAL (PRIVATE) VARIABLES:
@@ -2200,12 +2306,13 @@ csih_privileged_accounts()
{
csih_stacktrace "${@}"
$_csih_trace
+ local opt_username
+ local pwd_entries
+ local domain
local username
+ local take_it
local accounts
local first_account
- local in_passwd_status
- local in_sam_status
- local opt_username
# always parse "command line"
OPTIND=0
@@ -2221,46 +2328,37 @@ csih_privileged_accounts()
if [ -z "${_csih_all_preexisting_privileged_accounts}" ]
then
- for username in "$opt_username" $_csih_well_known_privileged_accounts
- do
- # because we quote opt_username (to allow spaces), then we
- # might have username="" if no -u option was specified. Check
- # for that case, and skip:
- if [ -z "$username" ]
- then
- continue
- fi
-
- in_passwd_status=1
- in_sam_status=1
- /usr/bin/grep -E "^${username}:" /etc/passwd 1>/dev/null 2>&1 && in_passwd_status=0
- csih_call_winsys32 net user "${username}" 1> /dev/null 2>&1 && in_sam_status=0
- if [ $in_passwd_status -eq 0 -o $in_sam_status -eq 0 ]
- then
- # however, if the caller specified opt_username, then we must
- # check that it actually has the required privileges...
- if [ "$username" = "$opt_username" ]
- then
- if ! csih_account_has_necessary_privileges "$username"
- then
- # -u $opt_username does NOT have the required privileges,
- # even though it exists. Warn, and skip
- csih_warning "Privileged account '$opt_username' was specified,"
- csih_warning "but it does not have the necessary privileges."
- csih_warning "Continuing, but will probably use a different account."
- continue
- fi
- fi
- [ -z "${first_account}" ] && first_account="${username}"
- accounts="${accounts}'${username}' "
- fi
- if [ $in_passwd_status -eq 0 -a $in_sam_status -ne 0 ]
- then
- csih_warning "${username} is in /etc/passwd, but the local"
- csih_warning "machine's SAM does not know about ${username}."
- csih_warning "Perhaps ${username} is a pre-existing domain account."
- csih_warning "Continuing, but check if this is ok."
+ # First check optional username from command line
+ if [ -n "$opt_username" ]
+ then
+ pwd_entries=$(/usr/bin/getent -w passwd "$opt_username")
+ # Extract Cygwin username and Windows domain
+ username="${pwd_entries%%:*}"
+ domain="${map_entry#*:*:}"
+ domain="${domain%\\*}"
+ take_it=1
+ # Local SAM account? Check privileges
+ [ "${COMPUTERNAME,,*}" = "${domain,,*}" ] \
+ && ! csih_account_has_necessary_privileges "$username" && take_it=0
+ if [ $take_it -eq 0 ]
+ then
+ # -u $opt_username does NOT have the required privileges,
+ # even though it exists. Warn, and skip
+ csih_warning "Privileged account '$opt_username' was specified,"
+ csih_warning "but it does not have the necessary privileges."
+ csih_warning "Continuing, but will probably use a different account."
+ else
+ first_account="${username}"
+ accounts="'${username}' "
fi
+ fi
+ # Then check predefined Cygwin service accounts
+ pwd_entries=$(/usr/bin/getent passwd $_csih_well_known_privileged_accounts \
+ | /usr/bin/cut -d: -f 1)
+ for username in $pwd_entries
+ do
+ [ -z "${first_account}" ] && first_account="${username}"
+ accounts="${accounts}'${username}' "
done
if [ -n "${accounts}" ]
then
@@ -2310,23 +2408,20 @@ csih_account_has_necessary_privileges()
local user="$1"
if [ -n "${user}" ]
then
- if csih_call_winsys32 net user "${user}" >/dev/null 2>&1
+ if ! csih_check_program_or_warn /usr/bin/editrights editrights
then
- if ! csih_check_program_or_warn /usr/bin/editrights editrights
- then
- csih_warning "The 'editrights' program cannot be found or is not executable."
- csih_warning "Unable to ensure that '${user}' has the appropriate privileges."
- return 1
- else
- # Don't attempt to validate membership in Administrators group
- # Instead, just try to set the appropriate rights; if it fails
- # then handle that, instead.
- /usr/bin/editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege >/dev/null 2>&1 &&
- /usr/bin/editrights -u "${user}" -t SeCreateTokenPrivilege >/dev/null 2>&1 &&
- /usr/bin/editrights -u "${user}" -t SeTcbPrivilege >/dev/null 2>&1 &&
- /usr/bin/editrights -u "${user}" -t SeServiceLogonRight >/dev/null 2>&1
- return # status of previous command-list
- fi
+ csih_warning "The 'editrights' program cannot be found or is not executable."
+ csih_warning "Unable to ensure that '${user}' has the appropriate privileges."
+ return 1
+ else
+ # Don't attempt to validate membership in Administrators group
+ # Instead, just try to set the appropriate rights; if it fails
+ # then handle that, instead.
+ /usr/bin/editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege >/dev/null 2>&1 &&
+ /usr/bin/editrights -u "${user}" -t SeCreateTokenPrivilege >/dev/null 2>&1 &&
+ /usr/bin/editrights -u "${user}" -t SeTcbPrivilege >/dev/null 2>&1 &&
+ /usr/bin/editrights -u "${user}" -t SeServiceLogonRight >/dev/null 2>&1
+ return # status of previous command-list
fi
fi
false
@@ -2419,6 +2514,47 @@ _csih_setup()
} # === End of _csih_setup() === #
readonly -f _csih_setup
+# ======================================================================
+# Routine: csih_use_file_etc passwd|group
+# Check if /etc/passwd or /etc/group file is in use.
+# On Cygwin versions < 1.7.33, files are always used.
+# On Cygwin versions >= 1.7.33 it depends on /etc/nsswitch.conf.
+#
+# If /etc/nsswitch.conf doesn't exit, "db" is used and we don't
+# need the files.
+#
+# If /etc/nsswitch.conf exists, and passwd/group lines contain
+# the "db" entry, "db" is used and we don't need the files.
+#
+# Otherwise, we need the files.
+#
+# Returns 0 if files shall be used, 1 otherwise.
+# ======================================================================
+csih_use_file_etc()
+{
+ local file="$1"
+ local use_file
+
+ if [ "$file" != "passwd" -a "$file" != "group" ]
+ then
+ csih_error 'Script error: csih_use_file_etc requires argument "passwd" or "group".'
+ fi
+ /usr/bin/uname -r |
+ /usr/bin/awk -F. '{
+ if ($1 < 1 || \
+ ($1 == 1 && $2 < 7) || \
+ ($1 == 1 && $2 == 7 && strtonum($3) <= 33))
+ exit 0;
+ exit 1;
+ }'
+ use_file=$?
+ if [ ${use_file} -ne 0 -a -f /etc/nsswitch.conf ]
+ then
+ grep -Eq "^${file}:.*\<db\>" /etc/nsswitch.conf || use_file=0
+ fi
+ return ${use_file}
+} # === End of csih_use_file_etc() === #
+readonly -f csih_use_file_etc
# ======================================================================
# Routine: csih_select_privileged_username [-q] [-f] [-u default_user] [service_name]
@@ -2452,6 +2588,8 @@ readonly -f _csih_setup
#
# SETS GLOBAL VARIABLE:
# csih_PRIVILEGED_USERNAME
+# csih_PRIVILEGED_USERWINNAME
+# csih_PRIVILEGED_USERDOMAIN
# OPTIND
# OPTARG
#
@@ -2478,13 +2616,18 @@ csih_select_privileged_username()
{
csih_stacktrace "${@}"
$_csih_trace
+ local domain
+ local winusername
local username
+ local newname
local opt_query=0
local opt_force=0
local opt_servicename=""
local opt_default_username=""
local options
local theservice
+ local map_entry
+ local use_files
_csih_setup
@@ -2520,12 +2663,13 @@ csih_select_privileged_username()
if /usr/bin/cygrunsrv -Q "${opt_servicename}" >/dev/null 2>&1
then
username=$(/usr/bin/cygrunsrv -V -Q "${opt_servicename}" 2>&1 | /usr/bin/sed -n -e '/^Account/s/^.* : //p')
- username="${username/\.\\/${COMPUTERNAME}\\}"
- if [ "${username}" = "LocalSystem" ]
+ domain="${username%\\*}"
+ winusername="${username#*\\}"
+ if [ "${winusername}" = "LocalSystem" ]
then
username=#empty; SYSTEM is not a "privileged user"
else
- username=$(/usr/bin/grep -F "${username}" /etc/passwd | /usr/bin/cut -d: -f 1)
+ username=$(/usr/bin/getent passwd "${winusername}" "${domain}+${winusername}" | /usr/bin/head -n1 | /usr/bin/cut -d: -f 1)
fi
if [ -n "${username}" ]
then
@@ -2536,6 +2680,8 @@ csih_select_privileged_username()
# we have already validated that ${username} has the necessary
# privilegeds. Great!
csih_PRIVILEGED_USERNAME="${username}"
+ csih_PRIVILEGED_USERWINNAME="${winusername}"
+ csih_PRIVILEGED_USERDOMAIN="${domain}"
return
else
if csih_account_has_necessary_privileges "${username}"
@@ -2547,6 +2693,8 @@ csih_select_privileged_username()
# did validate that, and it DOES have the necessary privileges.
# Add it to the list.
csih_PRIVILEGED_USERNAME="${username}"
+ csih_PRIVILEGED_USERWINNAME="${winusername}"
+ csih_PRIVILEGED_USERDOMAIN="${domain}"
_csih_all_preexisting_privileged_accounts="${_csih_all_preexisting_privileged_accounts}'${username}' "
return
else
@@ -2569,14 +2717,15 @@ csih_select_privileged_username()
then
if csih_is_nt2003
then
- csih_inform "You appear to be running Windows XP 64bit, Windows 2003 Server,"
- csih_inform "or later. On these systems, it's not possible to use the LocalSystem"
- csih_inform "account for services that can change the user id without an"
- csih_inform "explicit password (such as passwordless logins [e.g. public key"
- csih_inform "authentication] via sshd)."
+ csih_inform "It's not possible to use the LocalSystem account for services"
+ csih_inform "that can change the user id without an explicit password"
+ csih_inform "(such as passwordless logins [e.g. public key authentication]"
+ csih_inform "via sshd) when having to create the user token from scratch."
+ csih_inform "For more information on this requirement, see"
+ csih_inform "https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1"
echo ""
csih_inform "If you want to enable that functionality, it's required to create"
- csih_inform "a new account with special privileges (unless a similar account"
+ csih_inform "a new account with special privileges (unless such an account"
csih_inform "already exists). This account is then used to run these special"
csih_inform "servers."
echo ""
@@ -2585,13 +2734,13 @@ csih_select_privileged_username()
elif [ "x$csih_FORCE_PRIVILEGED_USER" = "xyes" ]
then
csih_inform "You have requested that a special privileged user be used"
- csih_inform "by the service, and are running on Windows NT, 2k or (32bit) XP"
+ csih_inform "by the service, and are running on 32 bit Windows XP"
csih_inform "where this is not actually required (LocalSystem would also work)."
echo ""
csih_inform "Note that creating a new user requires that the current account"
csih_inform "have Administrator privileges itself."
else
- # hmm. NT/2k/XP(32), but not csih_FORCE_PRIVILEGED_USER
+ # hmm. XP(32), but not csih_FORCE_PRIVILEGED_USER
# in this case, we emit no messages. If a privileged
# user already exists, we'll use it. Otherwise, don't
# specify a "privileged" user. Callers will know to
@@ -2665,8 +2814,7 @@ csih_select_privileged_username()
else
# perhaps user specified a pre-existing privileged account we
# don't know about
- if /usr/bin/grep -E "^${username}:" /etc/passwd 1>/dev/null 2>&1 ||
- csih_call_winsys32 net user "${username}" >/dev/null 2>&1
+ if /usr/bin/getent passwd "${username}" >/dev/null 2>&1
then
if ! csih_account_has_necessary_privileges "${username}"
then
@@ -2685,7 +2833,32 @@ csih_select_privileged_username()
# if it doesn't exist, we're probably in the midst of creating it.
# so don't issue any warnings.
fi
- csih_PRIVILEGED_USERNAME="${username}"
+
+ map_entry=$(/usr/bin/getent -w passwd "${username}")
+ if [ -n "${map_entry}" ]
+ then
+ local dw
+
+ csih_PRIVILEGED_USERNAME="${map_entry%%:*}"
+ dw="${map_entry#*:*:}"
+ dw="${dw%:*}"
+ csih_PRIVILEGED_USERDOMAIN="${dw%\\*}"
+ csih_PRIVILEGED_USERWINNAME="${dw#*\\}"
+ else
+ csih_PRIVILEGED_USERNAME="${username}"
+ if ! csih_use_file_etc "passwd"
+ then
+ # This test succeeds on domain member machines only, not on DCs.
+ if [ "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" ]
+ then
+ # Lowercase of USERDOMAIN
+ csih_PRIVILEGED_USERNAME="${COMPUTERNAME,,*}+${username}"
+ fi
+ fi
+ csih_PRIVILEGED_USERDOMAIN="${COMPUTERNAME}"
+ csih_PRIVILEGED_USERWINNAME="${username}"
+ fi
+
} # === End of csih_select_privileged_username() === #
readonly -f csih_select_privileged_username
@@ -2712,6 +2885,8 @@ readonly -f csih_select_privileged_usern
#
# On success, the username and password will be available in
# csih_PRIVILEGED_USERNAME
+# csih_PRIVILEGED_USERDOMAIN
+# csih_PRIVILEGED_USERWINNAME
# csih_PRIVILEGED_PASSWORD
#
# csih_auto_answer=no behavior
@@ -2728,7 +2903,6 @@ csih_create_privileged_user()
csih_stacktrace "${@}"
$_csih_trace
local username_in_sam
- local username
local admingroup
local dos_var_empty
local _password
@@ -2737,107 +2911,98 @@ csih_create_privileged_user()
local ret=0
local username_in_admingroup
local username_got_all_rights
- local pwd_entry
- local username_in_passwd
- local entry_in_passwd
local tmpfile1
- local tmpfile2
_csih_setup
csih_select_privileged_username
if ( csih_is_nt2003 || [ "x$csih_FORCE_PRIVILEGED_USER" = "xyes" ] )
then
- username="${csih_PRIVILEGED_USERNAME}"
-
if ! csih_privileged_account_exists "$csih_PRIVILEGED_USERNAME"
then
username_in_sam=no
# give auto-answer a chance to veto, because we can't enter password
# from setup.exe...
- if csih_request "Create new privileged user account '${username}'?"
+ if csih_request "Create new privileged user account '${csih_PRIVILEGED_USERDOMAIN}\\\\${csih_PRIVILEGED_USERWINNAME}' (Cygwin name: '${csih_PRIVILEGED_USERNAME}')?"
then
-
dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
- while [ "${username_in_sam}" != "yes" ]
- do
- if [ -n "${password_value}" ]
- then
- _password="${password_value}"
- # Allow to ask for password if first try fails
- password_value=""
- else
- csih_inform "Please enter a password for new user ${username}. Please be sure"
- csih_inform "that this password matches the password rules given on your system."
- csih_inform "Entering no password will exit the configuration."
- csih_get_value "Please enter the password:" -s
- _password="${csih_value}"
- if [ -z "${_password}" ]
- then
- csih_error_multi "Exiting configuration. No user ${username} has been created," \
- "and no services have been installed."
- fi
- fi
- tmpfile1=$(csih_mktemp) || csih_error "Could not create temp file"
- csih_call_winsys32 net user "${username}" "${_password}" /add /fullname:"Privileged server" \
- "/homedir:${dos_var_empty}" /yes > "${tmpfile1}" 2>&1 && username_in_sam=yes
- if [ "${username_in_sam}" != "yes" ]
- then
- csih_warning "Creating the user '${username}' failed! Reason:"
- /usr/bin/cat "${tmpfile1}"
- echo
- fi
- /usr/bin/rm -f "${tmpfile1}"
- done
-
- csih_PRIVILEGED_PASSWORD="${_password}"
- csih_inform "User '${username}' has been created with password '${_password}'."
- csih_inform "If you change the password, please remember also to change the"
- csih_inform "password for the installed services which use (or will soon use)"
- csih_inform "the '${username}' account."
- echo ""
- csih_inform "Also keep in mind that the user '${username}' needs read permissions"
- csih_inform "on all users' relevant files for the services running as '${username}'."
- csih_inform "In particular, for the sshd server all users' .ssh/authorized_keys"
- csih_inform "files must have appropriate permissions to allow public key"
- csih_inform "authentication. (Re-)running ssh-user-config for each user will set"
- csih_inform "these permissions correctly. [Similar restrictions apply, for"
- csih_inform "instance, for .rhosts files if the rshd server is running, etc]."
- echo ""
- if ! passwd -e "${username}"
- then
- csih_warning "Setting password expiry for user '${username}' failed!"
- csih_warning "Please check that password never expires or set it to your needs."
+ if [ -n "${password_value}" ]
+ then
+ _password="${password_value}"
+ # Allow to ask for password if first try fails
+ password_value=""
+ else
+ csih_inform "Please enter a password for new user ${csih_PRIVILEGED_USERNAME}. Please be sure"
+ csih_inform "that this password matches the password rules given on your system."
+ csih_inform "Entering no password will exit the configuration."
+ csih_get_value "Please enter the password:" -s
+ _password="${csih_value}"
+ if [ -z "${_password}" ]
+ then
+ csih_error_multi "Exiting configuration. No user ${csih_PRIVILEGED_USERNAME} has been created," \
+ "and no services have been installed."
+ fi
+ fi
+ tmpfile1=$(csih_mktemp) || csih_error "Could not create temp file"
+ csih_call_winsys32 net user "${csih_PRIVILEGED_USERWINNAME}" \
+ "${_password}" \
+ /fullname:"Privileged server" \
+ /homedir:"${dos_var_empty}" \
+ /comment:'<cygwin home="/var/empty" shell="/bin/false"/>' \
+ /add /yes > "${tmpfile1}" 2>&1 && username_in_sam=yes
+ if [ "${username_in_sam}" != "yes" ]
+ then
+ csih_warning "Creating the user '${csih_PRIVILEGED_USERNAME}' failed! Reason:"
+ /usr/bin/cat "${tmpfile1}"
+ echo
+ fi
+ /usr/bin/rm -f "${tmpfile1}"
+
+ if [ "${username_in_sam}" = "yes" ]
+ then
+ csih_PRIVILEGED_PASSWORD="${_password}"
+ csih_inform "User '${csih_PRIVILEGED_USERNAME}' has been created with password '${_password}'."
+ csih_inform "If you change the password, please remember also to change the"
+ csih_inform "password for the installed services which use (or will soon use)"
+ csih_inform "the '${csih_PRIVILEGED_USERNAME}' account."
+ echo ""
+
+ if ! passwd -e "${csih_PRIVILEGED_USERNAME}" >/dev/null
+ then
+ csih_warning "Setting password expiry for user '${csih_PRIVILEGED_USERNAME}' failed!"
+ csih_warning "Please check that password never expires or set it to your needs."
+ fi
fi
fi # user allowed us to create account
else
- # ${username} already exists. Use it, and make no changes.
+ # ${csih_PRIVILEGED_USERNAME} already exists. Use it, and make no changes.
# use passed-in value as first guess
csih_PRIVILEGED_PASSWORD="${password_value}"
return 0
fi
- # username did NOT previously exist, but has been successfully created.
+ # Username did NOT previously exist, but has been successfully created.
# set group memberships, privileges, and passwd timeout.
if [ "$username_in_sam" = "yes" ]
then
# always try to set group membership and privileges
- admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}')
+ admingroup=$(/usr/bin/getent group S-1-5-32-544)
+ admingroup="${admingroup%%:*}"
if [ -z "${admingroup}" ]
then
csih_warning "Cannot obtain the Administrators group name from 'mkgroup -l'."
ret=1
- elif csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${username}.?$"
+ elif csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${csih_PRIVILEGED_USERWINNAME}.?$"
then
true
else
- csih_call_winsys32 net localgroup "${admingroup}" "${username}" /add > /dev/null 2>&1 && username_in_admingroup=yes
+ csih_call_winsys32 net localgroup "${admingroup}" "${csih_PRIVILEGED_USERWINNAME}" /add > /dev/null 2>&1 && username_in_admingroup=yes
if [ "${username_in_admingroup}" != "yes" ]
then
- csih_warning "Adding user '${username}' to local group '${admingroup}' failed!"
- csih_warning "Please add '${username}' to local group '${admingroup}' before"
+ csih_warning "Adding user '${csih_PRIVILEGED_USERNAME}' to local group '${admingroup}' failed!"
+ csih_warning "Please add '${csih_PRIVILEGED_USERNAME}' to local group '${admingroup}' before"
csih_warning "starting any of the services which depend upon this user!"
ret=1
fi
@@ -2846,41 +3011,28 @@ csih_create_privileged_user()
if ! csih_check_program_or_warn /usr/bin/editrights editrights
then
csih_warning "The 'editrights' program cannot be found or is not executable."
- csih_warning "Unable to ensure that '${username}' has the appropriate privileges."
+ csih_warning "Unable to ensure that '${csih_PRIVILEGED_USERNAME}' has the appropriate privileges."
ret=1
else
- /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${username} &&
- /usr/bin/editrights -a SeCreateTokenPrivilege -u ${username} &&
- /usr/bin/editrights -a SeTcbPrivilege -u ${username} &&
- /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
- /usr/bin/editrights -a SeServiceLogonRight -u ${username} &&
+ /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
+ /usr/bin/editrights -a SeCreateTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
+ /usr/bin/editrights -a SeTcbPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
+ /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
+ /usr/bin/editrights -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
username_got_all_rights="yes"
if [ "${username_got_all_rights}" != "yes" ]
then
- csih_warning "Assigning the appropriate privileges to user '${username}' failed!"
+ csih_warning "Assigning the appropriate privileges to user '${csih_PRIVILEGED_USERNAME}' failed!"
ret=1
fi
fi
-
- # we just created the user, so of course it's in the local SAM,
- # and mkpasswd -l is appropriate
- pwd_entry="$(/usr/bin/mkpasswd -l -u "${username}" | /usr/bin/sed -n -e '/^'${username}'/s?\(^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:\).*?\1'${LOCALSTATEDIR}'/empty:/bin/false?p')"
- /usr/bin/grep -Eiq "^${username}:" "${SYSCONFDIR}/passwd" && username_in_passwd=yes &&
- /usr/bin/grep -Fiq "${pwd_entry}" "${SYSCONFDIR}/passwd" && entry_in_passwd=yes
- if [ "${entry_in_passwd}" != "yes" ]
+
+ # If we use /etc account DB only, write new account to /etc/passwd
+ if csih_use_file_etc passwd
then
- if [ "${username_in_passwd}" = "yes" ]
- then
- tmpfile2=$(csih_mktemp) || csih_error "Could not create temp file"
- /usr/bin/chmod --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
- /usr/bin/chown --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
- /usr/bin/getfacl "${SYSCONFDIR}/passwd" | /usr/bin/setfacl -f - "${tmpfile2}"
- # use >> instead of > to preserve permissions and acls
- /usr/bin/grep -Ev "^${username}:" "${SYSCONFDIR}/passwd" >> "${tmpfile2}" &&
- /usr/bin/mv -f "${tmpfile2}" "${SYSCONFDIR}/passwd" || return 1
- fi
- echo "${pwd_entry}" >> "${SYSCONFDIR}/passwd" || ret=1
+ /usr/bin/mkpasswd -l -u "${username}" >> "${SYSCONFDIR}/passwd"
fi
+
return "${ret}"
fi # ! username_in_sam
return 1 # failed to create user (or prevented by auto-answer veto)
@@ -2910,66 +3062,122 @@ csih_create_unprivileged_user()
csih_stacktrace "${@}"
$_csih_trace
local unpriv_user="$1"
- local unpriv_user_in_passwd=no
- local unpriv_user_in_sam=no
+ local map_entry
+ local user_exists=no
local dos_var_empty=
- local ret=0
_csih_setup
- /usr/bin/grep -q "^${unpriv_user}:" "${SYSCONFDIR}/passwd" && unpriv_user_in_passwd=yes
- csih_call_winsys32 net user "${unpriv_user}" >/dev/null 2>&1 && unpriv_user_in_sam=yes
- if [ "${unpriv_user_in_passwd}" != "yes" ]
- then
- if [ "${unpriv_user_in_sam}" != "yes" ]
- then
- csih_inform "Note that creating a new user requires that the current account have"
- csih_inform "Administrator privileges. Should this script attempt to create a"
- # give auto-answer a chance to veto
- if csih_request "new local account '${unpriv_user}'?"
- then
- dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
- csih_call_winsys32 net user "${unpriv_user}" /add /fullname:"${unpriv_user} privsep" \
- "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && unpriv_user_in_sam=yes
- if [ "${unpriv_user_in_sam}" != "yes" ]
- then
- csih_warning "Creating the user '${unpriv_user}' failed!"
- fi
- fi
- fi
- if [ "${unpriv_user_in_sam}" = "yes" ]
- then
- # user either already existed in local SAM, or we just created a new local
- # user. Therefore, mkpasswd -l is appropriate. However, the user does not
- # (yet) appear in /etc/passwd, so add it.
- /usr/bin/mkpasswd -l -u "${unpriv_user}" | /usr/bin/sed -n -e "/^${unpriv_user}/s/bash\$/false/p" >>\
- ${SYSCONFDIR}/passwd
- # make sure the previous command succeeded
- /usr/bin/grep -q "^${unpriv_user}:" "${SYSCONFDIR}/passwd" && unpriv_user_in_passwd=yes
- if [ "${unpriv_user_in_passwd}" != "yes" ]
+ map_entry="$(/usr/bin/getent -w passwd "U-${unpriv_user}")"
+ if [ -n "${map_entry}" ]
+ then
+ user_exists=yes
+ else
+ csih_inform "Note that creating a new user requires that the current account have"
+ csih_inform "Administrator privileges. Should this script attempt to create a"
+ # give auto-answer a chance to veto
+ if csih_request "new local account '${unpriv_user}'?"
+ then
+ dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
+ csih_call_winsys32 net user "${unpriv_user}" \
+ /homedir:"${dos_var_empty}" \
+ /comment:'<cygwin home="/var/empty" shell="/bin/false"/>' \
+ /add /active:no >/dev/null 2>&1 && user_exists=yes
+ if [ "${user_exists}" != "yes" ]
then
- csih_warning "Created new user '${unpriv_user}', but failed to add"
- csih_warning "corresponding entry to /etc/passwd!"
+ csih_warning "Creating the user '${unpriv_user}' failed!"
+ else
+ # If we use /etc account DB only, write new account to /etc/passwd
+ if csih_use_file_etc passwd
+ then
+ /usr/bin/mkpasswd -l -u "${unpriv_user}" >> "${SYSCONFDIR}/passwd"
+ fi
fi
fi
- else
- if [ "${unpriv_user_in_sam}" != "yes" ]
- then
- # FIXME: Needs real domain awareness to not print spurious warnings
- csih_warning "${unpriv_user} is in ${SYSCONFDIR}/passwd, but the"
- csih_warning "local machine's SAM does not know about ${unpriv_user}."
- csih_warning "Perhaps ${unpriv_user} is a pre-existing domain account."
- csih_warning "Continuing, but check if this is ok."
- fi
fi
- # as long as the user is in /etc/passwd, return success
- # if missing from SAM, we've already issued a diagnostic
- # and are assuming the user is a valid domain account.
- [ "x${unpriv_user_in_passwd}" = "xyes" ] && return 0
+
+ if [ "${user_exists}" = "yes" ]
+ then
+ local dw
+
+ map_entry="$(/usr/bin/getent -w passwd "U-${unpriv_user}")"
+ csih_UNPRIVILEGED_USERNAME="${map_entry%%:*}"
+ dw="${map_entry#*:*:}"
+ dw="${dw%:*}"
+ csih_UNPRIVILEGED_USERDOMAIN="${dw%\\*}"
+ csih_UNPRIVILEGED_USERWINNAME="${dw#*\\}"
+ return 0
+ fi
return 1
} # === End of csih_create_unprivileged_user() === #
readonly -f csih_create_unprivileged_user
+# ======================================================================
+# Routine: csih_create_local_group
+# Creates a new local group as specified by $1.
+#
+# Exits on catastrophic error
+# Returns 0 on total success
+# Returns 1 on failure
+#
+# csih_auto_answer=no behavior
+# if already exists
+# use it
+# else
+# do nothing, return 1
+# ======================================================================
+csih_create_local_group()
+{
+ csih_stacktrace "${@}"
+ $_csih_trace
+ local group="$1"
+ local map_entry
+ local grp_exists=no
+ local dos_var_empty=
+
+ _csih_setup
+
+ map_entry="$(/usr/bin/getent -w group "U-${group}")"
+ if [ -n "${map_entry}" ]
+ then
+ grp_exists=yes
+ else
+ csih_inform "Note that creating a new local group requires that the current account have"
+ csih_inform "Administrator privileges. Should this script attempt to create a"
+ # give auto-answer a chance to veto
+ if csih_request "new local group '${group}'?"
+ then
+ dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
+ csih_call_winsys32 net localgroup "${group}" \
+ /add >/dev/null 2>&1 && grp_exists=yes
+ if [ "${grp_exists}" != "yes" ]
+ then
+ csih_warning "Creating the user '${group}' failed!"
+ else
+ # If we use /etc account DB only, write new group to /etc/group
+ if csih_use_file_etc group
+ then
+ /usr/bin/mkgroup -l -u "${group}" >> "${SYSCONFDIR}/passwd"
+ fi
+ fi
+ fi
+ fi
+
+ if [ "${grp_exists}" = "yes" ]
+ then
+ local dw
+
+ map_entry="$(/usr/bin/getent -w group "U-${group}")"
+ csih_LOCAL_GROUPNAME="${map_entry%%:*}"
+ dw="${map_entry#*:*:}"
+ dw="${dw%:*}"
+ csih_LOCAL_GROUPDOMAIN="${dw%\\*}"
+ csih_LOCAL_GROUPWINNAME="${dw#*\\}"
+ return 0
+ fi
+ return 1
+} # === End of csih_create_local_group() === #
+readonly -f csih_create_local_group
# ======================================================================
# Routine: csih_service_should_run_as [service_name]
@@ -3001,6 +3209,8 @@ csih_service_should_run_as()
csih_stacktrace "${@}"
$_csih_trace
local opt_servicename
+ local domain
+ local winusername
# caller specified a service, so first check to see if that service
# is already installed, and if so, analyze that account. (If not,
@@ -3010,13 +3220,14 @@ csih_service_should_run_as()
opt_servicename="$1"
if /usr/bin/cygrunsrv -Q "${opt_servicename}" >/dev/null 2>&1
then
- username=$(/usr/bin/cygrunsrv -V -Q ${opt_servicename} 2>&1 | /usr/bin/sed -n -e '/^Account/s/^.* : //p')
- username="${username/\.\\/${COMPUTERNAME}\\}"
+ username=$(/usr/bin/cygrunsrv -V -Q "${opt_servicename}" 2>&1 | /usr/bin/sed -n -e '/^Account/s/^.* : //p')
+ domain="${username/\\*/}"
+ winusername="${username/*\\/}"
if [ "${username}" = "LocalSystem" ]
then
username=SYSTEM
else
- username=$(/usr/bin/grep -F "${username}" /etc/passwd | /usr/bin/cut -d: -f 1)
+ username=$(/usr/bin/getent passwd "${winusername}" "${domain}+${winusername}" | /usr/bin/head -n1 | /usr/bin/cut -d: -f 1)
fi
if ( csih_is_nt2003 || [ "x$csih_FORCE_PRIVILEGED_USER" = "xyes" ] )
then
@@ -3089,8 +3300,7 @@ csih_service_should_run_as()
# it already existed before this script was launched
echo "$csih_PRIVILEGED_USERNAME"
return
- elif /usr/bin/grep -E "^${csih_PRIVILEGED_USERNAME}:" /etc/passwd 1>/dev/null 2>&1 ||
- csih_call_winsys32 net user "${csih_PRIVILEGED_USERNAME}" >/dev/null 2>&1
+ elif /usr/bin/getent passwd "${csih_PRIVILEGED_USERNAME}" >/dev/null 2>&1
then
# we probably just created it
echo "$csih_PRIVILEGED_USERNAME"
@@ -3147,22 +3357,34 @@ _csih_late_initialization_code()
rstatus=$?
if [ "$rstatus" -eq 0 ]
then
- if echo "${productName}" | /usr/bin/grep " Server 2012 " >/dev/null 2>&1
+ if echo "${productName}" | /usr/bin/grep -q " Server 2014 "
+ then
+ _csih_exactly_server2014=1
+ elif echo "${productName}" | /usr/bin/grep -q " Windows 10 "
+ then
+ _csih_exactly_windows10=1
+ elif echo "${productName}" | /usr/bin/grep -q " Server 2012 R2 "
+ then
+ _csih_exactly_server2012r2=1
+ elif echo "${productName}" | /usr/bin/grep -q " Windows 8\.1 "
+ then
+ _csih_exactly_windows8_1=1
+ elif echo "${productName}" | /usr/bin/grep -q " Server 2012 "
then
_csih_exactly_server2012=1
- elif echo "${productName}" | /usr/bin/grep " Windows 8 " >/dev/null 2>&1
+ elif echo "${productName}" | /usr/bin/grep -q " Windows 8 "
then
_csih_exactly_windows8=1
- elif echo "${productName}" | /usr/bin/grep " Server 2008 R2 " >/dev/null 2>&1
+ elif echo "${productName}" | /usr/bin/grep -q " Server 2008 R2 "
then
_csih_exactly_server2008r2=1
- elif echo "${productName}" | /usr/bin/grep " Windows 7 " >/dev/null 2>&1
+ elif echo "${productName}" | /usr/bin/grep -q " Windows 7 "
then
_csih_exactly_windows7=1
- elif echo "${productName}" | /usr/bin/grep " Server 2008 " >/dev/null 2>&1
+ elif echo "${productName}" | /usr/bin/grep -q " Server 2008 "
then
_csih_exactly_server2008=1
- elif echo "${productName}" | /usr/bin/grep " Vista " >/dev/null 2>&1
+ elif echo "${productName}" | /usr/bin/grep -q " Vista "
then
_csih_exactly_vista=1
fi
@@ -3191,6 +3413,8 @@ readonly _csih_script_dir _csih_exec_dir
readonly _csih_exactly_vista _csih_exactly_server2008
readonly _csih_exactly_server2008r2 _csih_exactly_windows7
readonly _csih_exactly_server2012 _csih_exactly_windows8
+readonly _csih_exactly_server2012r2 _csih_exactly_windows8_1
+readonly _csih_exactly_server2014 _csih_exactly_windows10
readonly _csih_win_product_name
if [ "cygwin-service-installation-helper.sh" = "$csih_progname_base" ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20141119/6a792ab5/attachment.sig>
More information about the Cygwin-apps
mailing list