X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.0 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
Date: Wed, 17 Feb 2010 09:44:39 +1300
Message-ID: <e56401831002161244r4791dda4n35b00a1100d7d278@mail.gmail.com>
Subject: /usr/bin/cron-config can render a Win2K3 box unusable
From: Patrick Rynhart <prynhart AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I'm on Windows Server 2003 and carefully read through
/usr/share/doc/Cygwin/cron-4.1-57.README prior to configuring cron.
The guide discusses how a privileged user account is required in order
to run cron.  The script  /usr/bin/cron-config gives you the option of
creating a user account on behalf (e.g. cyg_server) or using your own
account, i.e.

"Since Windows2003, the SYSTEM account cannot setuid to other users.
You may need to have or to create a privileged account."

*** Throughout the setup process, there is no suggestion that using
your own Administrative account, or the BUILTIN "Administrator"
account is discouraged ****

However, the script /usr/bin/cron-config will set NT Rights
"SeDenyInteractiveLogonRight, SeDenyNetworkLogonRight,
SeDenyRemoteInteractiveLogonRight".  In the case of a newly created
account is this fine, but if it is a user supplied account then the
account is instantly locked out.

In the case of a Win2K3 box with only one administrative account, i.e.
"Administrator" (and everyone else running using under priv accounts
in a terminal services environment) this turns out to be catastrophic.

Can the script please be modified to at least WARN the user that these
rights will be applied.  It seems to me that "your own" account can't
really be used at all, for if the rights "SeDenyInteractiveLogonRight,
SeDenyNetworkLogonRight, SeDenyRemoteInteractiveLogonRight" are all
applied then the account cannot be used interactively.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple