X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <47FAC142.6040508@cwilson.fastmail.fm>
Date: Mon, 07 Apr 2008 20:50:10 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
References: <announce DOT 47F41D60 DOT 9060102 AT cwilson DOT fastmail DOT fm> <47F46137 DOT 5020008 AT cwilson DOT fastmail DOT fm> <20080403085527 DOT GL4468 AT calimero DOT vinschen DOT de> <20080407152955 DOT GQ23852 AT calimero DOT vinschen DOT de>
In-Reply-To: <20080407152955.GQ23852@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> On Apr  3 10:55, Corinna Vinschen wrote:
>> On Apr  2 23:46, Charles Wilson wrote:
>>> Attached is an updated implementation of ssh-host-config that uses csih. It 
>>> seems to work pretty well for the various tests I've put it through, 
>>> although it REQUIRES csih-0.1.3.
>> Wow, thanks for doing my job.  I still have this on my TODO list :}
>> It would be cool if list folks could give it a try.  I will test it
>> as well, perhaps over the weekend.
> 
> Looks good to me.  I will upload a new OpenSSH release in the next
> couple of days, but I guess I'll wait until you uploaded a new csih
> release.

Don't forget that ssh-user-config should probably be updated to use csih 
also. Otherwise, it will assume that the privileged user is sshd_server, 
when it might be that, or cyg_server or cron_server.

Instead, it should do:

if csih_is_nt
then
   _user=$(csih_service_should_run_as)
   if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" \
        "${pwdhome}/.ssh"
   then
     csih_error_multiline \
       "${pwdhome}/.ssh couldn't be given the correct permissions," \
       "assuming that the sshd server is running under the `${_user}'" \
       "account.  Please try to solve this problem first."
   fi
fi


Unfortunately, right now csih_service_should_run_as only works if 
csih_select_privileged_username has been called -- but that function is 
very wordy, and blathers on about 'creating' the privileged user. 
(csih_select_privileged_username, while public, is normally called by 
csih_create_privileged_user).

I need to create an internal csih helper function that can be called by 
csih_service_should_run_as if csih_PRIVILEGED_USERNAME is not already 
set, which will quietly do *some* of the stuff in 
csih_select_privileged_username in order to initialize 
csih_PRIVILEGED_USERNAME.

> Btw., I have a tiny patch to fix two typos in the file
> cygwin-service-installation-helper.sh.  Maybe you could apply them as
> well?

Sure, and thanks.

--
Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/