X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Thu, 7 Aug 2008 17:48:23 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Message-ID: <20080807154823.GI3806@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de> <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm> <20080720122754 DOT GP5675 AT calimero DOT vinschen DOT de> <20080720134054 DOT GQ5675 AT calimero DOT vinschen DOT de> <4897AD74 DOT 8020606 AT cwilson DOT fastmail DOT fm> <20080807075806 DOT GA30629 AT calimero DOT vinschen DOT de> <489B13F4 DOT 4030002 AT cwilson DOT fastmail DOT fm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <489B13F4.4030002@cwilson.fastmail.fm> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Aug 7 11:25, Charles Wilson wrote: > Corinna Vinschen wrote: >> Hi Chuck, >> On Aug 4 21:31, Charles Wilson wrote: >>> Corinna Vinschen wrote: >>>> Btw., there's a test for the administrators group in /etc/passwd. > > >>> I don't see this. I see testing /etc/passwd for the (local) Administrator >>> USER, and testing /etc/group for the Administrators GROUP, but not >>> /etc/passwd <-> Administrators GROUP. >>> >>> More info please? >> Function csih_get_system_and_admins_ids(), last test: >> csih_ADMINSUID=$(sed -ne >> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-32-544:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' >> /etc/passwd) >> csih_SYSTEMUID=$(sed -ne >> '/^[^:]*:[^:]*:[0-9]*:[0-9]*:[^:]*,S-1-5-18:.*:/{s/[^:]*:[^:]*:\([0-9]*\):.*$/\1/p;q}' >> /etc/passwd) >> if [ -z "$csih_ADMINSUID" -o -z "$csih_SYSTEMUID" ] >> then >> [...] >> The function csih_get_system_and_admins_ids is called by >> csih_check_access() and requires the above test being successful. > > Ah -- those lines are testing /etc/passwd for the Administrator USER. You > originally said 'administrators group'. Hence my confusion. No, the above lines are checking for the passwd entry for the administrators group. S-1-5-32-544 is the SID of that group. The SID for the Administrator user is S-1-5-21-X-Y-Z-500. > Now, about csih_check_access() -- without exact knowledge of > csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then > the whole csih_check_access() test can't be computed. > > If you make those GID/UID vars "optional" (e.g. not a failure if missing), > and then skip the relevant tests in csih_check_access, you might as well > just abandon the test entirely. Is that what we want to do? Never bother > to check for SYSTEM/Administrator access to the specified files? > > e.g. > /var/run > /var/log > /var/empty > > Somehow that doesn't seem right. Well, hmm. In theory, admins have backup/restore rights anyway. However, I was just thinking that csih should get rid of points of failure which are not entirely necessary, like the checks for denied user rights. If you think the test is necessary, just stick to it. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/