CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Charles Wilson cygwin@cwilson.fastmail.fm
Thu Aug 7 16:42:00 GMT 2008 

Corinna Vinschen wrote:
> No, the above lines are checking for the passwd entry for the
> administrators group.   S-1-5-32-544 is the SID of that group.
> The SID for the Administrator user is S-1-5-21-X-Y-Z-500.

D'oh.  Right.

>> Now, about csih_check_access() -- without exact knowledge of 
>> csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then 
>> the whole csih_check_access() test can't be computed.
>>
>> If you make those GID/UID vars "optional" (e.g. not a failure if missing), 
>> and then skip the relevant tests in csih_check_access, you might as well 
>> just abandon the test entirely.  Is that what we want to do?  Never bother 
>> to check for SYSTEM/Administrator access to the specified files?
>>
>> e.g.
>>   /var/run
>>   /var/log
>>   /var/empty
>>
>> Somehow that doesn't seem right.
> 
> Well, hmm.  In theory, admins have backup/restore rights anyway.
> However, I was just thinking that csih should get rid of points of
> failure which are not entirely necessary, like the checks for denied
> user rights.  If you think the test is necessary, just stick to it.

Well, part of the purpose of the foo-config scripts is to diagnose -- if 
the foo-config script succeeds without error, then one would expect that 
the installed service will, in fact, operate correctly.  It's much worse 
to have a user run ssh-host-config which /apparently/ succeeds, only to 
have the service fail to start or operate correctly.

So, I think /some/ version of this test should remain. However, if the 
Administrators GROUP is not present in the /etc/passwd file -- that's 
not a failure, so long as the Administrator and/or SYSTEM have the 
desired access to the file (as well as the file's owner).

So, I can see csih_get_system_and_admins_ids() reporting success if it 
finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating 
ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing.

Then, csih_check_access (and all other users of ADMIN-UID) would 
special-case against empty.

We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in 
both /etc/group and /etc/passwd, right?

--
Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list