delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2003/12/17/14:44:12

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Wed, 17 Dec 2003 14:43:55 -0500 (EST)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Benn Schreiber <bls AT starwhite DOT net>
cc: cygwin AT cygwin DOT com
Subject: Re: Windows 2003 Server & Cygwin Cron
In-Reply-To: <200312171927.hBHJRXTp031215@xunil.starwhite.net>
Message-ID: <Pine.GSO.4.56.0312171438330.4928@slinky.cs.nyu.edu>
References: <200312171927 DOT hBHJRXTp031215 AT xunil DOT starwhite DOT net>
MIME-Version: 1.0 

Quoting crontab.c from the cron-3.0.1-11 sources:

/* Cygwin can't support changing the owner since that requires crontab to
   be a s-uid application which is not supported.
   As workaround we try to set group membership to be SYSTEM (== ROOT_UID)
   and setting permissions to 640 which should allow cron to work. */

So, Cygwin basically assumes that the user that cron runs under will be in
the SYSTEM group, and tries to change the mode of the tab file so that
cron can access it.  Unfortunately, that's not true for the directions
that Corinna gave for Win2003, since the cron_server user is not in the
SYSTEM group.  One solution is to assume the invariant that cron always
runs as a user in the SYSTEM group, but, AFAICS, there is no way to add a
user to the SYSTEM group.  Another solution is to select another group and
make that invariant (and add the cron_server user to it), which will
require changing the cron sources.

Corinna, any comments?
	Igor

On Wed, 17 Dec 2003, Benn Schreiber wrote:

> This is a follow-up to my original post. I've done some work offline with a
> couple of people on this, but wanted to bring the issue, and current
> findings, back to the list.
>
> Summary: Windows 2003 server, set up crond per Corinna's directions (posted
> below). Once a user (pick a user, any user) does a 'crontab -e', crond
> reports 'CANT OPEN (tabs/user)'
>
> At this point, the tabs/user file is owned by user.SYSTEM  If I change the
> ownership to user.Administrators, crond is happy and so am I because my cron
> jobs run.
>
> So, I have a workaround (manually change the protection on the tabs/user
> file to user.Administrators after a 'crontab -e'). I'm posting this in case
> others run into the problem, and with the hope that a future rev of cron
> will address this problem.
>
> Thanks
> Benn
>
> From: "Benn Schreiber" <bls at starwhite dot net>
> To: <cygwin at cygwin dot com>
> Date: Tue, 16 Dec 2003 08:51:26 -0800
> Subject: Re: Windows 2003 Server & Cygwin Cron
>
> I am running on Windows 2003 server, and set up cron_server per this note.
> The cron server starts just fine, but reports that it can't open
> tabs/theuser (where theuser is the user account name).
>
> The protection on tabs/theuser is 640 o.g is user.SYSTEM  which is probably
> why cron server can't open it. I changed the group to administrators, which
> cron_server is part of, but unfortunately, a 'crontab -e' resets the group
> to SYSTEM.
>
> Thanks
>
> Benn
>
> From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
> To: cygwin at cygwin dot com
> Date: Tue, 11 Nov 2003 10:02:53 +0100
> Subject: Re: Windows 2003 Server & Cygwin Cron
> References: <NPEOLGGPKHICABBIJEIBCELECCAA DOT brian AT cruik DOT org>
> Reply-to: cygwin at cygwin dot com
> ________________________________________
> On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote:
> >  I have tried putting
> > the everyone group on the Local Security policies for "Create a token
> > object", "Logon as service", and "Replace a process level token".  The
> > problem still happens.
>
> URGH!  Don't do this.  Remove the Everyone group from these rights
> again.  The easiest way is to follow the ssh-host-config script in
> creating a special account:
>
>   net user cron_server <passwd> /add /yes
>   net localgroup <administrators_group_name> cron_server /add
>   editrights -a SeAssignPrimaryTokenPrivilege -u cron_server
>   editrights -a SeCreateTokenPrivilege -u cron_server
>   editrights -a SeIncreaseQuotaPrivilege -u cron_server
>   editrights -a SeServiceLogonRight -u cron_server
>   mkpasswd -l -u cron_server >> /etc/passwd
>
> For security reasons:
>   editrights -a SeDenyInteractiveLogonRight -u cron_server
>   editrights -a SeDenyNetworkLogonRight -u cron_server
>   editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server
>
> And then create a cron service using that account:
>   cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w <passwd>
>
> > By the way, I see reference to a cron README file that should have been in
> > the install.  I cannot find it anywhere yet.  Did it get lost in the new
> > releases or is it hiding somewhere other than /usr/doc?
>
> /usr/share/doc/...
>
> Corinna

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019