Mail Archives: cygwin/2008/04/10/00:57:33
Corinna Vinschen wrote:
> On Apr 9 10:55, Charles Wilson wrote:
>> Hopefully, that's more acceptable for ssh-user-config?
>
> My bad, I didn't update csih to CVS. I still think that's too much for
> ssh-user-config. But since we don't need the setfacl anymore, that's
> a moot point now.
It may be a moot point for ssh-user-config, but it could be a useful
behavior for some other -user-config (maybe cron user customizations?).
So, I've gone ahead and made the behavior silent if the
associated/specified server is already installed. See below.
> And that was really very nice. I'm not trying to critizise the general
> approach. I just think we (that is: I) should get rid of the entire
> message and the setfacl in ssh-user-config.
Well, that will certainly simplify things. However, operating on the old
assumption, the new (not even in CVS yet) version of csih lets you do this:
compute_sshd_user() {
if csih_is_nt
then
if ! cygrunsrv -Q sshd >/dev/null 2>&1
then
csih_select_privileged_username -q sshd
fi
sshd_user=$(csih_service_should_run_as sshd)
if ! setfacl -m "u::rwx,u:${sshd_user}:r--,g::---,o::---" \
"${pwdhome}/.ssh"
then
csih_error_multiline \
....
}
(a) if your service is installed, then you go directly to
csih_service_should_run_as with the (new, optional) argument 'sshd'
(b) otherwise, behavior is the "quiet but not silent" I described in my
last email -- and that all arises from calling
csih_select_privileged_username -q sshd -- which is why the client
(ssh-user-config) skips it if possible.
>>> svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
>>> svc_user="${svc_user/\.\\/$COMPUTERNAME}"
>>> svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))
>> (a) csih_select_privileged_username (in CVS) already optionally accepts
>> the service name in addition to the -q option. Currently it is only used
>> to customize the Info: messages (see ${opt_servicename}, above). So
>> this is even easier to add than you imagine -- if it is truly desirable
>> to do so.
>>
>> (b) You could also do 'foo=$(cygrunsrv -V -L ${service} | sed -n
>> '/Account/p' | awk '{print $NF}'); foo=$(basename $foo)' which amounts
>> to the same thing.
>
> Urgh! Isn't it embarassing that *I* missed to use cygrunsrv for that?
Well, my version wasn't exactly right either. You need to (and the new,
not even in CVS yet version does) do this:
username=$(cygrunsrv -V -Q "${opt_servicename}" 2>&1 |\
sed -n -e '/^Account/s/^.* : //p')
username="${username/\.\\/${COMPUTERNAME}\\}"
# and then something like
[ "${username}" = "LocalSystem" ] \
&& username=SYSTEM \
|| username=$(fgrep "${username}" /etc/passwd | cut -d: -f 1)
>
>> (c) But what if ${service} has not yet been installed, even though [a]
>> common service account exists [perhaps used by some other installed
>> cygwin service]? Then you'd still need the existing logic...
>
> Right, but that should probably be a fallback.
Ok, that's the way it works now. But it is also why the user-config
client needs to check 'cygrunsrv -Q myservice' and call
csih_select_privileged_username -q myservice
if the service is not already installed.
> If the service exists,
> it could run under *any* account. It might be interesting for csih to
> check always for the user running the service, not only on 2k3 and
> above.
OK, csih_select_privileged_username only cares for users with the
special (required on nt2003) perms -- therefore, it still checks
is_nt20003 || (nt && force_privileged). However, if the service is
installed, then 'csih_service_should_run_as myservice' will return the
user it is installed under, regardless of OS.
(Well, 9x always returns "")
If the service is not installed, then the behavior of
sih_service_should_run_a is as before:
nt2003: find pre-existing 'well-known' privileged user and specify
that, or
default to cyg_server
nt && !nt2003 && !force_privileged: default to SYSTEM
!nt (e.g. 9x): ""
> For the ssh-user-config script you won't need it anymore. I have a
> hard time to see that a normal user should know or decide about stuff
> like that.
Well, with the incantation in compute_sshd_user() above, IF the admin
has already installed the service, then the user-config script will be
silent (at least with regards to these issues concerning the service's
user account.) It will only print messages (and perhaps ask questions
the user is ill-equipped to answer) if the user-config script is run but
the associated server has not been installed.
Of course, if you don't care what sshd_user is, then you don't call
either of
csih_select_privileged_username
csih_service_should_run_as
and it's guaranteed to be quiet. <g>
> Nothing of that is actually helpful or informative for a
> "just-a-user" user. And except for setting permissions (which isn't
> necessary!) I really think we should not call this function from pure
> user config scripts.
That's up to the maintainer of each csih client package. You don't want
to call these 'hey, what account is the server running as?' function,
you don't need to.
--
Chuck
P.S. "not even in CVS yet" -- because in anticipation of getting
approval from Corinna, Pierre, and Yaakov for explicitly specifying the
license terms of csih.sh, I went ahead an made those changes to NEWS,
COPYING, csih.sh, AUTHORS, etc.
Corinna: MIT/X ok
Pierre: MIT/X ok
Yaakov: ...
Yaakov?
Bueller?
Is this thing on?
<tap>, <tap>
hello?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -