X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <489B13F4.4030002@cwilson.fastmail.fm>
Date: Thu, 07 Aug 2008 11:25:40 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server   account [SOLVED])
References: <20080513073720 DOT GA22193 AT calimero DOT vinschen DOT de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC AT FDSVAST06SXCH01 DOT flooddata DOT net> <20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de> <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm> <20080720122754 DOT GP5675 AT calimero DOT vinschen DOT de> <20080720134054 DOT GQ5675 AT calimero DOT vinschen DOT de> <4897AD74 DOT 8020606 AT cwilson DOT fastmail DOT fm> <20080807075806 DOT GA30629 AT calimero DOT vinschen DOT de>
In-Reply-To: <20080807075806.GA30629@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> Hi Chuck,
> 
> On Aug  4 21:31, Charles Wilson wrote:
>> Corinna Vinschen wrote:
>>> Btw., there's a test for the administrators group in /etc/passwd.


>> I don't see this. I see testing /etc/passwd for the (local) Administrator 
>> USER, and testing /etc/group for the Administrators GROUP, but not 
>> /etc/passwd <-> Administrators GROUP.
>>
>> More info please?
> 
> Function csih_get_system_and_admins_ids(), last test:
> 
>   csih_ADMINSUID=$(sed -ne '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' /etc/passwd)
>   csih_SYSTEMUID=$(sed -ne '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' /etc/passwd)
>   if [ -z "$csih_ADMINSUID" -o -z "$csih_SYSTEMUID" ]
>   then
>     [...]
> 
> The function csih_get_system_and_admins_ids is called by
> csih_check_access() and requires the above test being successful.

Ah -- those lines are testing /etc/passwd for the Administrator USER. 
You originally said 'administrators group'. Hence my confusion.

Now, about csih_check_access() -- without exact knowledge of 
csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then 
the whole csih_check_access() test can't be computed.

If you make those GID/UID vars "optional" (e.g. not a failure if 
missing), and then skip the relevant tests in csih_check_access, you 
might as well just abandon the test entirely.  Is that what we want to 
do?  Never bother to check for SYSTEM/Administrator access to the 
specified files?

e.g.
   /var/run
   /var/log
   /var/empty

Somehow that doesn't seem right.

--
Chuck


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/