X-Spam-Check-By: sourceware.org
Message-ID: <44622B97.6020107@cygwin.com>
Date: Wed, 10 May 2006 14:06:15 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051223 Fedora/1.5-0.2.fc4.remi Thunderbird/1.5 Mnenhy/0.7.3.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Win2003 server and cron/sshd as services (1.5.19)
References: <C874DBE9D30B584587F8CD0EC34DA8BE016C809E AT EX00 DOT idirect DOT net>             <4457E24C DOT 2020303 AT well-dunn DOT com>             <e38ppl$hj0$1 AT sea DOT gmane DOT org> <8e32b7255e82c71fc919a18ea47fb41e AT well-dunn DOT com> <e3atik$1gg$1 AT sea DOT gmane DOT org> <445CACA3 DOT 9010001 AT well-dunn DOT com> <445D1839 DOT 2060608 AT cygwin DOT com> <4461F92A DOT 2020303 AT well-dunn DOT com>
In-Reply-To: <4461F92A.2020303@well-dunn.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Mike Dunn wrote:
> Larry Hall (Cygwin) wrote:
>> On 05/06/2006, Mike Dunn wrote:
>>>  I did just test by running cron from the command line (not as a 
>>> service), and it appears to work fine.  I suspect, that it can only 
>>> exec commands under my uid, since my account does not have things 
>>> like SeCreateTokenPrivilege, etc. 
>>
>>
>> Right.  And by running it from the command line under your uid, you've 
>> created
>> files under /var with permissions that will keep 'cron' from running as a
>> service using the sshd_server (which already has the ability to switch 
>> user
>> contexts on W2K3).  Your best bet here is probably to uninstall cron and
>> reinstall it, using the installation instructions in
>> /usr/share/doc/Cygwin/cron.README.
>>
>>
 >  Was there anything in particular you are referring to in the README, or
 > is this a general RTFM comment?  I have read the READMEs, googled the
 > list for 5 days, picked apart the install scripts, tested with
 > alternative services, reinstalled, etc.  I would like to think that I've
 > done my home work.
 >
 >  I believe that I understand the permissions issue that you refer to.
 > Clearly I ran cron under my UID as a diagnostic procedure; I have since
 > reinstalled it a number of times (correcting the permissions indicated
 > in the README) and cron_diagnose is happy.  Can you suggest what may be
 > wrong with permission beyond that?

Once you start services under one user, they create files with specific
permissions. These permissions will keep the services from running as
another another user. This is certainly true for sshd, which sets permissions
for /var/empty and some other files in that directory to be accessible only
for the service user. I'm away from my Windows machine at the moment so I
cannot provide further details at this point. But look at the configuration
scripts if you want some pointers.  The reason these configuration scripts
exist is so one can easily and quickly install a working setup. So your best
bet to getting one is to use them. However, since you have configured things
using another method, you probably won't have much luck getting things to
work without undoing what you've already done. Alternatively, for cron, as
long as you only want it to run as the user you're running the service as,
there is no problem continuing as you have things now. Essentially, this is
true for ssh too but you mentioned the desire to be able to switch user
contexts.  That requires the user running the service to have the permissions
to do this. The ssh-host-config script creates the sshd_server user for you
with the proper permissions to run on W2K3. See the ssh-host-config
script if you want to know how this was set up. Obviously, you can add
these permissions to any user if you prefer. The biggest downside is the
additional security risk of having yet another user id with these added
permissions (and perhaps more).


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/