X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 20 Aug 2008 19:46:49 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
Message-ID: <20080820174649.GW29104@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <announce DOT 48A789B6 DOT 3010103 AT cwilson DOT fastmail DOT fm> <48A78C6F DOT 2050403 AT cwilson DOT fastmail DOT fm> <20080820134209 DOT GN29104 AT calimero DOT vinschen DOT de> <48AC47CC DOT 4060308 AT cwilson DOT fastmail DOT fm>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="IiVenqGWf+H9Y6IX"
Content-Disposition: inline
In-Reply-To: <48AC47CC.4060308@cwilson.fastmail.fm>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

--IiVenqGWf+H9Y6IX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Aug 20 12:35, Charles Wilson wrote:
> Corinna Vinschen wrote:
> > I would like to propose to do all the work in the csih script, like
> > this:
> > [...]
> >   csih_make_dir "${SYSCONFDIR}"
> >   chmod 755 "${LOCALSTATEDIR}/etc"
>                ^^^^^^^^^^^^^^^^^^^^^
> I assume you mean "${SYSCONFDIR}" here.  However, if the chmod command

Oh, sure.  Thanks for noticing.

> > The /var dirs are now (setup 2.609) created with 01777 permissions
> > anyway, but it can't hurt to keep this code in.  The 01777 permissions
> > make sure that all daemons can create their files in /var/run, /var/log.
> > 
> > The code in /bin/ssh-host-config would go away entirely.  The script
> > would also test for the *next* csih version 0.1.8.
> 
> Sure, that works. Try the following.  I hesitate to actually release
> 0.1.8 until you finish your testing cycle with the new openssh. Let's
> coordinate the release(s).
> [...]
>      csih_make_dir "${SYSCONFDIR}"
> -
> +    chmod 755 "${LOCALSTATEDIR}/etc" || /bin/true
> +

I guess that should have been

       chmod 755 "${SYSCONFDIR}" || /bin/true

:-)

I got two other problems:

  *** Query: Should privilege separation be used? (yes/no) yes
  *** Warning: Something is wrong: sshd is in /etc/passwd,
  *** Warning: but Windows does not know anything about sshd.
  *** Warning: Perhaps sshd is a pre-existing domain account.
  *** Warning: Continuing, but subsequent actions in this script may fail.
  *** Warning: Couldn't create user 'sshd'!
  *** Warning: Privilege separation set to 'no' again!
  *** Warning: Check your /etc/sshd_config file!

That's a bit harsh.  If the unprivileged user exists in /etc/passwd, 
let's use it.  Even if you print the warning, it doesn't make sense to
return false from csih_create_unprivileged_user() in this case, thus
resulting in a failing function in the parent script.

  *** Info: This script plans to use 'cyg_server'.
  *** Info: 'cyg_server' will only be used by registered services.
  *** Query: Do you want to use a different name? (yes/no) no
  *** Warning: Adding user 'cyg_server' to local group 'Administrators' failed!
  *** Warning: Please add 'cyg_server' to local group 'Administrators' before
  *** Warning: starting any of the services which depend upon this user!
  mkpasswd (445): [2221] The user name could not be found.
  *** ERROR: There was a serious problem creating a privileged user.
  *** Query: Do you want to proceed anyway?

Of course, since cyg_server is a domain account, it's not possible to
add it to the local admins group.  In fact, since cyg_server is a Domain
Admin account, and the Domain Admin group in turn is member of the
Administrators group, cyg_server already is member of Administrators
group on all domain member machines.

So, when choosing an account from /etc/passwd, the above step in
csih_create_privileged_user() should be skipped, together with any
postprocessing as checking for password expiry.

In the long run, it would be cool if the script would be domain aware,
of course, but there might be some tweaking of tools necessary before
we can do that.

Other than that, I think it looks good now.  I attached a patch to
accomplish the above.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--IiVenqGWf+H9Y6IX
Content-Type: text/x-patch; charset=us-ascii
Content-Disposition: attachment; filename="csih.diff"

--- cygwin-service-installation-helper.sh.ORIG	2008-08-20 19:45:42.332754000 +0200
+++ cygwin-service-installation-helper.sh	2008-08-20 19:43:19.402407300 +0200
@@ -171,7 +171,7 @@
 # ======================================================================
 csih_progname=$0
 csih_progname_base=$(basename -- $csih_progname)
-csih_VERSION=0.1.7
+csih_VERSION=0.1.8
 readonly csih_progname csih_progname_base csih_VERSION 
 
 csih_auto_answer=""
@@ -2062,7 +2062,7 @@ _csih_setup()
     # script to explicitly check accees to the specific configuration
     # files inside /etc... 
     csih_make_dir "${SYSCONFDIR}"
-    chmod 755 "${LOCALSTATEDIR}/etc" || /bin/true
+    chmod 755 "${SYSCONFDIR}" || /bin/true
   
     _csih_setup_already_called=1
   fi
@@ -2444,9 +2444,9 @@ csih_create_privileged_user()
         fi
       fi # user allowed us to create account
     else # ${username} did not already exist
-      username_in_sam=yes
       # use passed-in value as first guess
       csih_PRIVILEGED_PASSWORD="${password_value}"
+      return 0
     fi
 
     if [ "$username_in_sam" = "yes" ]
@@ -2588,16 +2588,14 @@ csih_create_unprivileged_user()
     else
       if [ "${unpriv_user_in_sam}" != "yes" ]
       then
-        # FIXME: the following may be okay, and we may want to return success
-        # below if either *in_passwd or *in_user, rather than requiring both
-        # Solve this after the next round of testing.
-        csih_warning "Something is wrong: ${unpriv_user} is in ${SYSCONFDIR}/passwd,"
-        csih_warning "but Windows does not know anything about ${unpriv_user}."
+        # FIXME: Needs real domain awareness to not print spurious warnings
+        csih_warning "${unpriv_user} is in ${SYSCONFDIR}/passwd, but the"
+        csih_warning "local machine's SAM does not know about ${unpriv_user}."
         csih_warning "Perhaps ${unpriv_user} is a pre-existing domain account."
-        csih_warning "Continuing, but subsequent actions in this script may fail."
+        csih_warning "Continuing, but check if this is ok."
       fi
     fi
-    [ "x${unpriv_user_in_passwd}" = "xyes" -a "x${unpriv_user_in_sam}" = "xyes" ] && return 0
+    [ "x${unpriv_user_in_passwd}" = "xyes" -o "x${unpriv_user_in_sam}" = "xyes" ] && return 0
     return 1
   fi
   return 1 # not nt


--IiVenqGWf+H9Y6IX
Content-Type: text/plain; charset=us-ascii

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--IiVenqGWf+H9Y6IX--