Mail Archives: cygwin/2008/04/09/12:13:56
On Apr 9 10:55, Charles Wilson wrote:
> On Wed, 9 Apr 2008 14:09:56 +0200, Corinna Vinschen wrote:
> >Looks ok, but I have a few questions/comments.
> >
> >- When the script starts, the following text appears:
> [snip verbose output]
> >However, I think the whole message is too noisy and confusing for
> >non-admins.
>
> That is odd. That particular text was mostly taken from ssh-host-config,
> and should only appear if your script calls
> csih_select_privileged_username() with no arguments (or if you are using
> csih-0.1.3, instead of CVS csih) -- that is, the way ssh-host-config
> calls it. The older version of csih_select_privileged_username ignores
> its arguments; the newer one honors the '-q' option that [my]
> ssh-user-config gives it. In which case, what you should see is
> something like the following (but only if nt2003 or
> csih_FORCE_PRIVILEGED_USER):
>
> *** Info: The following privileged accounts were found: ....
> *** Info: This script will assume that ${opt_servicename} will run under
> the"
> *** Info: '${username}' account."
> *** Query: Will ${opt_servicename} run under a different account?"
> [yes/no], if yes, then:
> *** Query: Enter the user name used by ${opt_servicename}:
>
> Hopefully, that's more acceptable for ssh-user-config?
My bad, I didn't update csih to CVS. I still think that's too much for
ssh-user-config. But since we don't need the setfacl anymore, that's
a moot point now.
> >Additionally, given that Cygwin opens
> >files always with BACKUP_INTENT for a while anyway, and given that the
> >service account is a member of the administrators group, which has
> >backup user rights, there's not much reason anymore to add the service
> >account to the ACL. I fear that's just old cruft in the ssh-user-script.
>
> Well, that's up to you. I wanted to do something that was as close to
> equivalent as the existing ssh-[host|user]-config, with only those
> changes necessary to support a common service account whose name might
> not be 'sshd_service'.
And that was really very nice. I'm not trying to critizise the general
approach. I just think we (that is: I) should get rid of the entire
message and the setfacl in ssh-user-config.
> >The query "Do you want to use different name?" is a bit upside down,
> >IMHO. The query should be rather phrased positively "Do you want to use
> >t name?"
>
> I already addressed this:
> http://cygwin.com/ml/cygwin/2008-03/msg00447.html
>
> Phrasing that question in the opposite sense breaks postinstall scripts,
> where auto_answer="no". That is:
>
> Do you want to use this name? <no>
> Enter the name you want to use: <hangs>
>
> ...and that would be bad. Now, the openssh package does not invoke its
> config scripts from /etc/postinstall, but others do. So I need to take
> care that the auto_answer="no" case never hangs.
Ok, agreed.
> > svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
> > svc_user="${svc_user/\.\\/$COMPUTERNAME}"
> > svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
>
> (a) csih_select_privileged_username (in CVS) already optionally accepts
> the service name in addition to the -q option. Currently it is only used
> to customize the Info: messages (see ${opt_servicename}, above). So
> this is even easier to add than you imagine -- if it is truly desirable
> to do so.
>
> (b) You could also do 'foo=$(cygrunsrv -V -L ${service} | sed -n
> '/Account/p' | awk '{print $NF}'); foo=$(basename $foo)' which amounts
> to the same thing.
Urgh! Isn't it embarassing that *I* missed to use cygrunsrv for that?
> (c) But what if ${service} has not yet been installed, even though [a]
> common service account exists [perhaps used by some other installed
> cygwin service]? Then you'd still need the existing logic...
Right, but that should probably be a fallback. If the service exists,
it could run under *any* account. It might be interesting for csih to
check always for the user running the service, not only on 2k3 and
above.
> Furthermore, remember that these routines are shared between (the more
> common) install-a-service config scripts, and (less common) user config
> scripts like ssh-user-config. In the former [common] case, assuming
> ${service} is not installed, you will always need the existing logic.
For the ssh-user-config script you won't need it anymore. I have a
hard time to see that a normal user should know or decide about stuff
like that. Nothing of that is actually helpful or informative for a
"just-a-user" user. And except for setting permissions (which isn't
necessary!) I really think we should not call this function from pure
user config scripts.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -