delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2014/07/18/04:17:50

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; q=dns; s=
default; b=qF8fuqaaC2992T/nIbYv52T/y6lFlj6Cqn7GpAagF0DWFihCR/LBg
CmqYbL/k7N8seBUq8llrQzZkPznGnzKDSmtBgqz3ZQCfAlBfCQPG4pt2QbtygvJu
tp4XSEwQw50czZoEBY4rAl1TRSzWNeKqOy/LHSwA/UmB5ld5F//Md4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; s=default;
bh=rIDGDsPU7bYFz0S6+JYxeaHH5pk=; b=e32Br+51K32odZ5Z0H/XdOwrmU5k
T4it179xrmg+wYzrQ6Sk5xxesO+DQSC9nZjR8zw/y9II+EVkEKp5Sh0SHVmLRXeV
fJBlhYhMnFFQRrAmzg4Uj8YmlV/s2XlPJ48jfIV6+mFeq1p4/cMMCzv6AVouQZCP
LikKblUR8y65k1c=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Fri, 18 Jul 2014 10:17:23 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Minires truncates host names
Message-ID: <20140718081723.GW15332@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <028c01cf9974$ad507120$07f15360$@alum.mit.edu> <53C8129A DOT 1BA76E49 AT boland DOT nl> <20140717182302 DOT GR15332 AT calimero DOT vinschen DOT de> <53C83213 DOT 580EEB62 AT boland DOT nl>
MIME-Version: 1.0
In-Reply-To: <53C83213.580EEB62@boland.nl>
User-Agent: Mutt/1.5.23 (2014-03-12)

--/qIPZgKzMPM+y5U5
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Daniel,

On Jul 17 22:29, D. Boland wrote:
> Hi Corinna,
>=20
> Corinna Vinschen wrote:
> >=20
> > On Jul 17 20:14, D. Boland wrote:
> > > Just letting you know how it went with the Resolver (miniedit). The e=
rror, pointed
> > > out by you, solved the problem.
> >=20
> > Did you read my previous reply?  Do *not* use the minres lib.  Use the
> > Cygwin resolver.  There's no minires lib on 64 bit anymore and the 32
> > bit runtime minres is only maintained for backward compatibility.
>=20
> Yes, I read it. I just don't like to swap my current Cygwin DLL. I will t=
est it
> proper on a fresh Cygwin system on another computer. When will the fix be=
 released?

With 1.7.31 in the next few days.  But there are still the developer
snapshots for testing.  Here's the deal: If you test a developer
snapshot you can make sure that the next release will fix the problem.
If you don't test the snapshot you won't have that privilege and the
functionality will still be broken up to the next release.  Simple.

> > > Now I have an even bigger problem. Sendmail works perfectly. But only=
 on my XP
> > > machine. As of Windows Vista, MS decided to remove certain privileges=
 from the
> > > SYSTEM user.
> >=20
> > You might have to read the user's manual in the long run ;)
> >=20
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>=20
> I did read it. Very well written, I might add. It looked very complicated=
 at first
> but when I read it, it made my problem very clear.
>=20
> > Other services are set up so that they use another account called
> > cyg_server.  See, for instance, how ssh-host-config helps an admin to
> > set this up.  The csih package helper script is lending you a hand when
> > creating such service installer scripts.  See also
> >=20
> > https://cygwin.com/faq/faq.html#faq.using.sshd-in-domain
>=20
> I must say, I am not a big fan of this csih thang. It totally obfuscates =
what I am
> doing with my Cygwin server as an administrator. Also, it creates the "cy=
g_server"
> user, which just mimicks what the SYSTEM user used to do. Maybe it should=
 have been
> called "root"?

SYSTEM or, FWIW, cyg_server are not root.  Nor are the users in the
admin group.  The privilege concept in Windows is simply different and
trying to tweak it into shape is bound to fail one way or the other.
That's why we don't pretend any of the user accounts is actually root.

> The SYSTEM user was/is also regarded as the root user by other softwares =
from the
> Unix world. It's in the procmail source code (#define ROOT_uid 18).

That's a Cygwin-specific patch to change tests testing for uid 0
to tests for uid 18 by default.  But that doesn't matter.

> I searched for MS's position on this issue. I found this article:
>=20
> http://technet.microsoft.com/en-us/library/bb457125.aspx
>=20
> In the section about the SeTcbPrivilege, which the "cyg_server" user need=
s to log in
> as another user

Stop right here.  The problem is *not* SeTcbPrivilege.  SeTcbPrivilege
is only one side of the coin.  The other side is SeCreateTokenPrivilege.
Starting with Windows 2003, all services started under the SYSTEM
account get an access token with the SeCreateTokenPrivilege explicitely
removed.  That means method 1 from the user guide
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1)
which at one point in the past was the *only* method, won't work.
Given that method 2 and 3 require specific administrator intervention,
method 1 is still the fallback, and it's probably in use on many
machines of users who don't want to install an LSA auth package or
to store the password in the registry.

> I cannot believe that MS just disabled this privilege in the newer Window=
s versions,

They didn't.  They removed SeCreateTokenPrivilege.

> without providing an alternative. So now I'm trying the LocalService user=
...

Good luck.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--/qIPZgKzMPM+y5U5
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTyNgTAAoJEPU2Bp2uRE+gFs0P/2f8gOtYVJ9PAzXOlrz/zl0u
ZaTzybjiW3OvjJDnx1sT7tjPsWD5j95WBfR4WKb50n7BZzC1dpoBynbp3uBX5wOC
GIU07a1NaNfq45jyBJ7f5gkyikk4UCvZqyflxl6x+o2oYNHUPyZs55wwv5InwhQQ
p/Z4R+/TduRLFw7ItKEETfVCrhZixIY5cV6jM44PktUWh8PVhXRG0fA0t9tdhBjG
FuB8ACY+Y4B1Por7GckNP+9d5oZQ5JnoYxlkEAdoxTxq5CsG3UTxp8PCWZz1wUrR
yyvpAPQGclP9tRtdqqsbH4CkqD7TQFQJTxbI5VbJJs6L7goFwY57vbP97rnK9olD
dirqbxomzRhOQUudAT3gyAbVJsLxPwQNP3WQq8Rq+KW/beFNjWfKLriBmJpbUOXX
X1ZDr5A1g5YTdeAA7F4xKmSGaUlz1XfG3J0kX1SPJKHdLoXxb/gl+BCCJWoUiJ8v
IdvIMCVp8xW8IwaFOs+RoyFXuycPSERwTCjypSHBH3zhABxlVKmDwQXDamRsf7Am
sRgbHKbY/+Feo5QNyUWMNzvlcu2JoD4mmdAQsPus3Vk1Cpjlod5cnJ9/lVV06Q1Z
9L4fsfMx1ZmWZjd4hx86K6pDdkrTdfYjpdzTFCTskVDP75f1tEuU5vIEgJGEa7G4
r5x9W+rEBHVstTW+JwQN
=EFjd
-----END PGP SIGNATURE-----

--/qIPZgKzMPM+y5U5--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019