X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Message-ID: <489B8A25.1040008@cwilson.fastmail.fm> Date: Thu, 07 Aug 2008 19:49:57 -0400 From: Charles Wilson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)] References: <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm> <20080720122754 DOT GP5675 AT calimero DOT vinschen DOT de> <20080720134054 DOT GQ5675 AT calimero DOT vinschen DOT de> <4897AD74 DOT 8020606 AT cwilson DOT fastmail DOT fm> <20080807075806 DOT GA30629 AT calimero DOT vinschen DOT de> <489B13F4 DOT 4030002 AT cwilson DOT fastmail DOT fm> <20080807154823 DOT GI3806 AT calimero DOT vinschen DOT de> <489B20AC DOT 9080902 AT cwilson DOT fastmail DOT fm> <20080807164241 DOT GK3806 AT calimero DOT vinschen DOT de> <489B29F1 DOT 909 AT cwilson DOT fastmail DOT fm> In-Reply-To: <489B29F1.909@cwilson.fastmail.fm> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Charles Wilson wrote: > Corinna Vinschen wrote: >>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) >>> in both /etc/group and /etc/passwd, right? >> >> Yes. I'm just wondering if we shouldn't check for the Admins group >> only. The token of the SYSTEM user always contains the Admins group and >> the cyg_server (or whatever the name is) user is always (and should >> always) be created as member of the admins group, too. So, if I didn't >> miss anything important, the check could be reduced to checking for the >> admins group permissions. Does that make sense? > > It makes sense -- if the following assertion is true for NT/2k/XP, as > well as more modern versions of Windows, for both cygwin-1.5 and > cygwin-1.7: > > Admins group access to a file (-...[rwx]... as specified by $2 if group > ownership of the file is Administrators, or a sufficient group token in > the extended ACLs is present as determined by getfacl) is necessary and > sufficient for the SYSTEM user (and/or the special privileged user) to > access the file, regardless of the file's actual owner. Well, the changes are piling up in this release, so all I implemented with regards to this specific issue was (1) csih_get_system_and_admins_ids() doesn't fail if it can't find the Administrators group entry in /etc/passwd (2) csih_check_access() skips checking if the file is owned by the Adminstrators group when csih_ADMINSUID is empty. We can address the finer points of this issue -- and probably others -- in 0.1.7. I've uploaded csih-0.1.6 as a test release, but I do not imagine it will survive to curr: without changes. (e.g. it is most likely broken. I hope not, but...my testing environment is limited.) Please test and send patches for a better 0.1.7. Also see FIXME in csih_create_unprivileged_user. Here's the change log and news: NEWS * more permissions tweaks for privileged user: See http://cygwin.com/ml/cygwin/2008-06/msg00453.html Users of earlier versions of csih may need to manually adjust their existing privileged users. Again: editrights -r SeDenyNetworkLogonRight -u cyg_server editrights -r SeDenyInteractiveLogonRight -u cyg_server editrights -r SeIncreaseQuotaPrivilege -u cyg_server * Even on NT/2k/XP, prefer to use "privileged" user (cyg_server, sshd_server, cron_server, etc) if a suitable such user already exists. If not, then for these older OS's, fall back to SYSTEM. As always, by setting csih_FORCE_PRIVILEGED_USER -- usually done by the calling script via a command line argument, such as /usr/bin/iu-config -privileged the user can force NT/2k/XP to behave as Vista or Server2008: a privileged user is required, and if one does not exist it will be created. * Also accept privileged accounts that exist only in /etc/passwd and are not present in the local SAM. That is, accept pre-existing privileged domain accounts. * New utility program: getVolInfo http://cygwin.com/ml/cygwin/2007-08/msg00040.html * New function: csih_path_supports_acls() returns 0 (success) if the specified path is located on a volume that supports ACLs. Uses getVolInfo. Behavior can be modified, when getVolInfo is incorrect, by setting user-accessible variables: csih_WIN32_VOLS_WITH_ACLS csih_WIN32_VOLS_WITHOUT_ACLS which each may contain ;-separated lists of win32 paths, specifying volumes in the relevant category. * It is no longer a fatal error if, when checking the permissions or access rights of a file or directory, the target is located on a volume that does not support ACLs. A warning is issued, but operation continues. * The Administrators group is no longer required to be in /etc/passwd. However, it is still required in /etc/group. SYSTEM is (still) required in both /etc/passwd and /etc/group. ChangeLog 2008-08-07 Charles Wilson <...> Add getVolInfo utility program. Use it to avoid checking permissions on volumes that do not support ACLs. * csih.sh (main): update documentation. (csih_WIN32_VOLS_WITH_ACLS): new client-accessible var. (csih_WIN32_VOLS_WITHOUT_ACLS): ditto. (csih_path_supports_acls): new function. (_csih_convert_w32vol_to_shell_pattern): new function. (_csih_path_in_volumelist_core): new function. (_csih_path_in_volumelist): new function. (csih_get_system_and_admins_ids): update comments. No longer an error if Administrators group is not found in /etc/passwd. (_csih_warning_for_win9x_perms): new function. (_csih_warning_for_missing_ACL_support): new function. (csih_check_dir_perms): bail out early (returning success but with a warning) if on OS older than windows NT, or the specified file/dir is on a volume that does not support ACLs. (csih_check_access): ditto. Also, improve comments. If csih_ADMINSUID is empty, gracefully skip checking if file/dir is owned by the Administrators group. * cygwin/Makefile: new file. * cygwin/getVolInfo.c: new file. * COPYING: update documentation. * NEWS: update documentation. 2008-08-04 Charles Wilson <...> Accept pre-existing privileged domain accounts. Default to privileged account on NT/2k/XP if exist. * csih.sh (csih_privileged_accounts): Always look for privileged users if NT or better. Look in both /etc/passwd and local SAM. (csih_privileged_account_exists): Update documentation to reflect behavior change inherited from above. (csih_select_privileged_username): Attempt to return a username even on NT/2k/XP (but default to empty if no pre-existing privileged user on those OS's). Be more specific in the informational messages emitted. Look in both /etc/passwd and local SAM for accounts, if user specified one we don't know about already. (csih_create_privileged_user): Improve comments. (csih_create_unprivileged_user): Improve comments. See FIXME! (remove this line from ChangeLog when resolved) (csih_service_should_run_as): Improve comments. Check both /etc/passwd and local SAM if "answer" is an account that did not exist when script was launched. For NT/2k/XP, default to pre-existing privileged user (if one exists), and only report SYSTEM otherwise. * NEWS: Document new behavior 2008-07-19 Corinna Vinschen <...> * csih.sh (csih_account_has_necessary_privileges): Don't explicitely test for SeDenyXXX rights, nor for SeIncreaseQuotaPrivilege. (csih_create_privileged_user): Drop setting SeDenyInteractiveLogonRight and SeIncreaseQuotaPrivilege. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/