[ANNOUNCEMENT] Updated: csih-0.1.7-1
Corinna Vinschen
corinna-cygwin@cygwin.com
Wed Aug 20 18:15:00 GMT 2008
On Aug 20 12:35, Charles Wilson wrote:
> Corinna Vinschen wrote:
> > I would like to propose to do all the work in the csih script, like
> > this:
> > [...]
> > csih_make_dir "${SYSCONFDIR}"
> > chmod 755 "${LOCALSTATEDIR}/etc"
> ^^^^^^^^^^^^^^^^^^^^^
> I assume you mean "${SYSCONFDIR}" here. However, if the chmod command
Oh, sure. Thanks for noticing.
> > The /var dirs are now (setup 2.609) created with 01777 permissions
> > anyway, but it can't hurt to keep this code in. The 01777 permissions
> > make sure that all daemons can create their files in /var/run, /var/log.
> >
> > The code in /bin/ssh-host-config would go away entirely. The script
> > would also test for the *next* csih version 0.1.8.
>
> Sure, that works. Try the following. I hesitate to actually release
> 0.1.8 until you finish your testing cycle with the new openssh. Let's
> coordinate the release(s).
> [...]
> csih_make_dir "${SYSCONFDIR}"
> -
> + chmod 755 "${LOCALSTATEDIR}/etc" || /bin/true
> +
I guess that should have been
chmod 755 "${SYSCONFDIR}" || /bin/true
:-)
I got two other problems:
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: Something is wrong: sshd is in /etc/passwd,
*** Warning: but Windows does not know anything about sshd.
*** Warning: Perhaps sshd is a pre-existing domain account.
*** Warning: Continuing, but subsequent actions in this script may fail.
*** Warning: Couldn't create user 'sshd'!
*** Warning: Privilege separation set to 'no' again!
*** Warning: Check your /etc/sshd_config file!
That's a bit harsh. If the unprivileged user exists in /etc/passwd,
let's use it. Even if you print the warning, it doesn't make sense to
return false from csih_create_unprivileged_user() in this case, thus
resulting in a failing function in the parent script.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Warning: Adding user 'cyg_server' to local group 'Administrators' failed!
*** Warning: Please add 'cyg_server' to local group 'Administrators' before
*** Warning: starting any of the services which depend upon this user!
mkpasswd (445): [2221] The user name could not be found.
*** ERROR: There was a serious problem creating a privileged user.
*** Query: Do you want to proceed anyway?
Of course, since cyg_server is a domain account, it's not possible to
add it to the local admins group. In fact, since cyg_server is a Domain
Admin account, and the Domain Admin group in turn is member of the
Administrators group, cyg_server already is member of Administrators
group on all domain member machines.
So, when choosing an account from /etc/passwd, the above step in
csih_create_privileged_user() should be skipped, together with any
postprocessing as checking for password expiry.
In the long run, it would be cool if the script would be domain aware,
of course, but there might be some tweaking of tools necessary before
we can do that.
Other than that, I think it looks good now. I attached a patch to
accomplish the above.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: csih.diff
Type: text/x-patch
Size: 2310 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20080820/7ab99279/attachment.bin>
-------------- next part --------------
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list