X-Recipient: archive-cygwin@delorie.com
X-Spam-Check-By: sourceware.org
Message-ID: <489B29F1.909@cwilson.fastmail.fm>
Date: Thu, 07 Aug 2008 12:59:29 -0400
From: Charles Wilson <cygwin@cwilson.fastmail.fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server   account [SOLVED])
References: <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm> <20080807164241.GK3806@calimero.vinschen.de>
In-Reply-To: <20080807164241.GK3806@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

Corinna Vinschen wrote:
>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in 
>> both /etc/group and /etc/passwd, right?
> 
> Yes.  I'm just wondering if we shouldn't check for the Admins group
> only.  The token of the SYSTEM user always contains the Admins group and
> the cyg_server (or whatever the name is) user is always (and should
> always) be created as member of the admins group, too.  So, if I didn't
> miss anything important, the check could be reduced to checking for the
> admins group permissions.  Does that make sense?

It makes sense -- if the following assertion is true for NT/2k/XP, as 
well as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7:

Admins group access to a file (-...[rwx]... as specified by $2 if group 
ownership of the file is Administrators, or a sufficient group token in 
the extended ACLs is present as determined by getfacl) is necessary and 
sufficient for the SYSTEM user (and/or the special privileged user) to 
access the file, regardless of the file's actual owner.

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/