This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin service account (Re: inetd help)


From: "Corinna Vinschen" To: <cygwin-apps@cygwin.com>
Sent: Saturday, July 15, 2006 7:27 AM
Subject: Cygwin service account (Re: inetd help)



On Jul 14 17:57, Corinna Vinschen wrote:
On Jul 14 07:21, Andrew DeFaria wrote:
> I'd argue it's also becoming time for a replacement for the Local System > Account for sshd, inetd and crond, perhaps named daemon instead of > sshd_server which seems decidedly ssh biased. IOW maybe a little config > script to create the daemon user - which the necessarily privileges like > sshd_server - which each/any of the above mentioned config script could > call in order to set up the service. In fact I think this should be the > way to go even on older systems such as 2000 and XP instead of relying > on Local System Account. Then it's a little cleaner that all Cygwin > services requiring any specific permissions runs under the daemon local > user...


Sure, I like the idea. Instead of arguing, just go ahead.

http://cygwin.com/acronyms/#SHTDI
http://cygwin.com/acronyms/#PTC


So, what do we do here now?  The idea is crystal clear, it's very much
right, but literally nobody is doing the chores.

What we need is a script which creates a Windows user specificially
designed to start Cygwin processes which need special privileges.
The code we could simply steal from my ssh-host-config (there's just one
`editrights -a SeTcbPrivilege' missing right now).

The script could be named `cygwin-server-install'.  It could be called
from all other server installation scripts.  It could be packed as it's
own package and put into the base category.

Five questions are left.

1. What do we choose as the name of that account?

My suggestion: cygwin_server

2. Do we require the user to have a special uid/gid in Cygwin? 0:0?

3. Which packages are affected?

My packages are: cron, inetutils, openssh, syslog-ng.

4. Are all maintainers of the affected packages willing to do the
  transition to using this script/the new account pretty quickly?

I am if you are.

5. Last but not least: Who will create the script/package and maintain it?

cron-config already has a pretty much self contained function to create such a privileged usr, it would be easy to extend it (if needed). It['s adapted from Corinna's ssh stuff, and it is also used for exim (add it to the list).

It also looks for typical server names such as sshd_server cyg_server cron_server
and offers to reuse them if they exist.

One issue that I notice is that sshd_server is (at least, "was") setting its home directory
to something special. Is it needed? Other servers may also require unusual settings.
We should identify the superset of the special needs.

Pierre


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]