X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=iwu9
	xEBlIomnV2cDJ8UECCEY6b275afcwhz/Ul/h4kAVSN9ZTHxo9mvzQft03TJaTn9M
	WsH2s/VITaAPzSOWbO2NONARQq5dvJSq1dJognnJv8ox3rntW0R+/OpV+sj3lDqo
	T6ToKqxxKDPboxBzuanZjWwjkWgwpL4kXFJdhSc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type; s=default; bh=4tHzcPkMfB
	mXm+c3gijlCbspkDU=; b=tz0IQvkvYZEayVh9cEn80y14VBNA10lhbZKqlUIY8g
	MdVcir3XE42Uayn2dq5bGYBi6q0vNvfI4qbcppDDTOTyIuYwhY+FooTKUyIuC0DB
	ViNn2I3pCvvVRyOo89hTpnJlk+dVzm8C6eP2vwS7NIFp9bl+ZzxssAFynk6OPe/I
	k=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.2 required=5.0 tests=BAYES_05,SPF_SOFTFAIL autolearn=no version=3.3.2 spammy=2017-01-23, 20170123, UD:orig, H*RU:0.0.0.0
X-HELO: cyan.apple.relay.mailchannels.net
X-Sender-Id: fastwebhost|x-authuser|superbas AT shaddybaddah DOT name
X-Sender-Id: fastwebhost|x-authuser|superbas AT shaddybaddah DOT name
X-MC-Relay: Neutral
X-MailChannels-SenderId: fastwebhost|x-authuser|superbas AT shaddybaddah DOT name
X-MailChannels-Auth-Id: fastwebhost
X-MC-Loop-Signature: 1485141176752:1428757471
X-MC-Ingress-Time: 1485141176752
Subject: Re: ssh-host-config: patch fix debug option + broken for me on Vista (non-domain)
To: cygwin AT cygwin DOT com
References: <20170119181643 DOT GB25162 AT calimero DOT vinschen DOT de>
From: Shaddy Baddah <superbas AT shaddybaddah DOT name>
Message-ID: <252a5384-0979-7912-18ca-b8ceeccdb016@shaddybaddah.name>
Date: Mon, 23 Jan 2017 14:12:49 +1100
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Icedove/45.6.0
MIME-Version: 1.0
In-Reply-To: <20170119181643.GB25162@calimero.vinschen.de>
Content-Type: multipart/mixed; boundary="------------A915A5E5AD184127DFD1C552"
X-AuthUser: superbas AT shaddybaddah DOT name

--------------A915A5E5AD184127DFD1C552
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,


On 20/01/17 05:16, Corinna Vinschen wrote:
> On Jan 19 22:26, Shaddy Baddah wrote:
>>
>> Hi,
>>
>> On 19/01/17 21:38, Corinna Vinschen wrote:
>>> On Jan 18 14:34, Shaddy Baddah wrote:
>> ...
>>
>>>> And I'm sure the problem is that this well-intended change to the script
>>>> fails on the assumption that LOGONSERVER is always populated. It isn't
>>>> for me on Vista.
>>>>
>>>> cygwin-service-installation-helper.sh:2884:      # This test succeeds on
>>>> domain member machines only, not on DCs.
>>>> cygwin-service-installation-helper.sh:2885:      if [
>>>> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
>>>> cygwin-service-installation-helper.sh:2886:        -a "${LOGONSERVER}" !=
>>>> "\\\\MicrosoftAccount" ]
>>>> cygwin-service-installation-helper.sh:2887:      then
>>>> cygwin-service-installation-helper.sh:2888:     # Lowercase of USERDOMAIN
>>>> cygwin-service-installation-helper.sh:2889:
>>>> csih_PRIVILEGED_USERNAME="${COMPUTERNAME,,*}+${username}"
>>>> cygwin-service-installation-helper.sh:2890:      fi
>>>> cygwin-service-installation-helper.sh:2891:    fi
>>>>
>>>> I fixed this by modifying the test to check LOGONSERVER is not empty:
>>>>
>>>> if [ -n "${LOGONSERVER}" -a "\\\\...
>>>>
>>>> Can this be fixed in the next release?
>>>
>>> Sure, please provide a patch, I'll check it in and release a new csih
>>> soonish.
>>
>> I would, but there's a couple of hitches. Without understanding the
>> syntax (and I should bring up the bash man page here, I will do after
>> this), I can't be sure that the following test:
>>
>> "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}"
>>
>> wasn't designed to handled an empty LOGONSERVER variable.
>
> No, it wasn't.  The idea is that if LOGONSERVER == COMPUTERNAME your
> machine is not in a domain.  Actually, I *never* encountered an environment
> in which LOGONSERVER isn't set.  Are you sure this isn't just some kind
> of misconfiguration?  I don't think Cygwin is the only application
> checking for LOGONSERVER.

Sorry, yep, it's to check that it is not in a domain. The ',,' is just a
bonus case conversion to guarantee that case doesn't thrown the
comparison (I wasn't familiar with it).

On 21/01/17 09:40, szgyg wrote:
 > On 1/19/2017 7:16 PM, Corinna Vinschen wrote:
 >> The idea is that if LOGONSERVER == COMPUTERNAME your
 >> machine is not in a domain.  Actually, I *never* encountered an
 >> environment
 >> in which LOGONSERVER isn't set.
 >
 > It's empty if you're using RunAs.

Thank you szgyg. This is on the right track. There is a variation. I
didn't use the RunAs command.

Instead I did what I think is the almost 100% use case for running
ssh-host-config. Which is to launch mintty by select "Run as
administrator", elevate privilege to allow the script to add users and
services, etc.

The difference is as follows. And I test for this. I login to the
desktop as a non-administrator. When I select "Run as administrator" I
am prompted to enter a password for (one of) the administrator users.

That mintty (and cmd prompt too obviously) do not have LOGONSERVER set.

If I login to the desktop as administrator user, and "Run as
administrator", LOGONSERVER is set.

Also, there is another use case which I haven't tried, but I would feel
would result in no LOGONSERVER as well... not sure. I can try it as I
complete this email...

That is logging in to an administrator user via ssh itself. OK, it
doesn't make sense for the purpose of runnng ssh-host-config (you've
obviously already got ssh server running), but just to cover bases...
I've tried it, and LOGONSERVER is set.

So it seems LOGONSERVER isn't set if you RunAs, from the desktop, as a
different user.

As an aside... doesn't seem like the administrator user has the elevated
privileges anymore. It was the case in the past. I never picked up on
that change.

To that end, please find attached the patch to fix the LOGONSERVER
problem. I think it should be fine for a domain environment. Because if
you run as a domain assigned local administrator, LOGONSERVER will be
set, even on a "Run as administrator".

If you just run as a local computer administrator (whatever the
accurate terminology is here), then you will have an empty LOGONSERVER
and the script will run for the local user.

-- 
Regards,
Shaddy


--------------A915A5E5AD184127DFD1C552
Content-Type: text/x-patch;
 name="fix-ssh-host-config-LOGONSERVER.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="fix-ssh-host-config-LOGONSERVER.diff"

--- cygwin-service-installation-helper.sh.orig	2015-10-28 20:23:49.000000000 +1100
+++ cygwin-service-installation-helper.sh	2017-01-23 13:54:19.334891100 +1100
@@ -2882,7 +2882,8 @@
     if ! csih_use_file_etc "passwd"
     then
       # This test succeeds on domain member machines only, not on DCs.
-      if [ "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
+      if [ -n "${LOGONSERVER}" \
+	   -a "\\\\${COMPUTERNAME,,*}" != "${LOGONSERVER,,*}" \
 	   -a "${LOGONSERVER}" != "\\\\MicrosoftAccount" ]
       then
 	# Lowercase of USERDOMAIN


--------------A915A5E5AD184127DFD1C552
Content-Type: text/plain; charset=us-ascii


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
--------------A915A5E5AD184127DFD1C552--