X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <489B29F1.909@cwilson.fastmail.fm>
Date: Thu, 07 Aug 2008 12:59:29 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server   account [SOLVED])
References: <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm> <20080720122754 DOT GP5675 AT calimero DOT vinschen DOT de> <20080720134054 DOT GQ5675 AT calimero DOT vinschen DOT de> <4897AD74 DOT 8020606 AT cwilson DOT fastmail DOT fm> <20080807075806 DOT GA30629 AT calimero DOT vinschen DOT de> <489B13F4 DOT 4030002 AT cwilson DOT fastmail DOT fm> <20080807154823 DOT GI3806 AT calimero DOT vinschen DOT de> <489B20AC DOT 9080902 AT cwilson DOT fastmail DOT fm> <20080807164241 DOT GK3806 AT calimero DOT vinschen DOT de>
In-Reply-To: <20080807164241.GK3806@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in 
>> both /etc/group and /etc/passwd, right?
> 
> Yes.  I'm just wondering if we shouldn't check for the Admins group
> only.  The token of the SYSTEM user always contains the Admins group and
> the cyg_server (or whatever the name is) user is always (and should
> always) be created as member of the admins group, too.  So, if I didn't
> miss anything important, the check could be reduced to checking for the
> admins group permissions.  Does that make sense?

It makes sense -- if the following assertion is true for NT/2k/XP, as 
well as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7:

Admins group access to a file (-...[rwx]... as specified by $2 if group 
ownership of the file is Administrators, or a sufficient group token in 
the extended ACLs is present as determined by getfacl) is necessary and 
sufficient for the SYSTEM user (and/or the special privileged user) to 
access the file, regardless of the file's actual owner.

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/