X-Recipient:	archive-cygwin AT delorie DOT com
X-Spam-Check-By:	sourceware.org
Message-ID:	<489B20AC.9080902@cwilson.fastmail.fm>
Date:	Thu, 07 Aug 2008 12:19:56 -0400
From:	Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent:	Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
References:	<20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de> <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm> <20080720122754 DOT GP5675 AT calimero DOT vinschen DOT de> <20080720134054 DOT GQ5675 AT calimero DOT vinschen DOT de> <4897AD74 DOT 8020606 AT cwilson DOT fastmail DOT fm> <20080807075806 DOT GA30629 AT calimero DOT vinschen DOT de> <489B13F4 DOT 4030002 AT cwilson DOT fastmail DOT fm> <20080807154823 DOT GI3806 AT calimero DOT vinschen DOT de>
In-Reply-To:	<20080807154823.GI3806@calimero.vinschen.de>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> No, the above lines are checking for the passwd entry for the
> administrators group.   S-1-5-32-544 is the SID of that group.
> The SID for the Administrator user is S-1-5-21-X-Y-Z-500.

D'oh.  Right.

>> Now, about csih_check_access() -- without exact knowledge of 
>> csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then 
>> the whole csih_check_access() test can't be computed.
>>
>> If you make those GID/UID vars "optional" (e.g. not a failure if missing), 
>> and then skip the relevant tests in csih_check_access, you might as well 
>> just abandon the test entirely.  Is that what we want to do?  Never bother 
>> to check for SYSTEM/Administrator access to the specified files?
>>
>> e.g.
>>   /var/run
>>   /var/log
>>   /var/empty
>>
>> Somehow that doesn't seem right.
> 
> Well, hmm.  In theory, admins have backup/restore rights anyway.
> However, I was just thinking that csih should get rid of points of
> failure which are not entirely necessary, like the checks for denied
> user rights.  If you think the test is necessary, just stick to it.

Well, part of the purpose of the foo-config scripts is to diagnose -- if 
the foo-config script succeeds without error, then one would expect that 
the installed service will, in fact, operate correctly.  It's much worse 
to have a user run ssh-host-config which /apparently/ succeeds, only to 
have the service fail to start or operate correctly.

So, I think /some/ version of this test should remain. However, if the 
Administrators GROUP is not present in the /etc/passwd file -- that's 
not a failure, so long as the Administrator and/or SYSTEM have the 
desired access to the file (as well as the file's owner).

So, I can see csih_get_system_and_admins_ids() reporting success if it 
finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating 
ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing.

Then, csih_check_access (and all other users of ADMIN-UID) would 
special-case against empty.

We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in 
both /etc/group and /etc/passwd, right?

--
Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -