X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Thu, 10 Apr 2008 10:31:50 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Yaakov? (was Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1) Message-ID: <20080410083150.GA548@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <1207752935 DOT 9233 DOT 1246948379 AT webmail DOT messagingengine DOT com> <20080409161204 DOT GJ23852 AT calimero DOT vinschen DOT de> <47FD9DA7 DOT 6010403 AT cwilson DOT fastmail DOT fm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47FD9DA7.6010403@cwilson.fastmail.fm> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Apr 10 00:55, Charles Wilson wrote: > Corinna Vinschen wrote: >> And that was really very nice. I'm not trying to critizise the general >> approach. I just think we (that is: I) should get rid of the entire >> message and the setfacl in ssh-user-config. > > Well, that will certainly simplify things. However, operating on the old > assumption, the new (not even in CVS yet) version of csih lets you do this: > > compute_sshd_user() { > if csih_is_nt > then > if ! cygrunsrv -Q sshd >/dev/null 2>&1 > then > csih_select_privileged_username -q sshd > fi > sshd_user=$(csih_service_should_run_as sshd) > if ! setfacl -m "u::rwx,u:${sshd_user}:r--,g::---,o::---" \ > "${pwdhome}/.ssh" > then > csih_error_multiline \ > .... > } That looks good. Almost a pity that we don't need to set permissons :) >>> (c) But what if ${service} has not yet been installed, even though [a] >>> common service account exists [perhaps used by some other installed >>> cygwin service]? Then you'd still need the existing logic... >> Right, but that should probably be a fallback. > > Ok, that's the way it works now. But it is also why the user-config client > needs to check 'cygrunsrv -Q myservice' and call > csih_select_privileged_username -q myservice > if the service is not already installed. Only if permissions have to be set. But, since the services in question are usually running under a privileged account (here: having the backup user right), there's really no need to add the service account to the ACL. This was only necessary in earlier days, when Cygwin didn't open files with backup intent. It *would* be a problem if the service in question doesn't run under a privileged account, though. For instance, if the service has been installed to run with just a single user account. But in that case, either the user calling the user-config script is the same user as the service account, or the user has lost anyway. >> Nothing of that is actually helpful or informative for a >> "just-a-user" user. And except for setting permissions (which isn't >> necessary!) I really think we should not call this function from pure >> user config scripts. > > That's up to the maintainer of each csih client package. You don't want to > call these 'hey, what account is the server running as?' function, you > don't need to. I agree. It might be useful at one point. > P.S. "not even in CVS yet" -- because in anticipation of getting approval > from Corinna, Pierre, and Yaakov for explicitly specifying the license > terms of csih.sh, I went ahead an made those changes to NEWS, COPYING, > csih.sh, AUTHORS, etc. > > Corinna: MIT/X ok > Pierre: MIT/X ok > Yaakov: ... > > Yaakov? > > Bueller? > > Is this thing on? > > , > > hello? Wait, I help: YAAAAAAAAAKOV! HEEEEELLOOOOO! Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/