Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Wed, 30 Jan 2002 13:18:42 +0100
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ntsec+inetd+cvspserver (was CVS PServer problem)
Message-ID: <20020130131842.F11608@cygbert.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <002101c1a97b$77885720$ce113e9b AT LSIL DOT COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <002101c1a97b$77885720$ce113e9b@LSIL.COM>
User-Agent: Mutt/1.3.22.1i

On Wed, Jan 30, 2002 at 10:46:48AM -0000, Phil Dempster wrote:
> Hi folks,
> 
> I've managed to get CVS pserver running on Win2K (ntsec) and am in the
> process of preparing some documentation for it.  I'm trying to grasp just
> how the user ID switching works when CVS is spawned from inetd.
> 
> I've found that it is not necessary to specify the user as `root' in
> inetd.conf, for example `Guest' will suffice.
> 
> #/etc/inetd.conf
> cvspserver stream tcp nowait Guest /usr/bin/cvs
> cvs -f --allow-root=/usr/local/cvsroot pserver
> 
> I'd hoped that would make it a lot harder for anyone with malicious intent
> to gain access via pserver.  However, I'm not convinced that isn't a bogus
> assumption.  Does anything spawned from inetd run as the same uid as inetd
> itself (i.e. System)?

Heck, why did I wrote /usr/doc/inetutils-1.3.2.README and what are
the announcements good for?  Since version 1.3.2-15 we have the
following (quoted):

      In inetd, allow to start services now as the user given in
      the /etc/inetd.conf service entry.  The user `root' is
      treated special since it doesn't trigger a user context
      switch.  Example:

	ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd

      doesn't trigger a user context switch, the ftp daemon
      will run under SYSTEM account while in

	ftp stream tcp nowait john_doe /usr/sbin/in.ftpd in.ftpd

      inetd will try to run the ftp daemon under the `john_doe'
      account.  This will fail if the account `john_doe' isn't
      correctly set up in /etc/passwd and /etc/group.  However,
      wrong user entries or failed user context switches are
      logged in the NT event log so it should be easy to debug.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/