Re: Bug in csih

[Corinna Vinschen <corinna-cygwin at cygwin dot com>]

Chuck?  Ping?

On Dec 19 14:07, Corinna Vinschen wrote:
> Hi Chuck,
> 
> 
> during some testing I suddenly found that I couldn't start an sshd which
> I had just installed as a service.  The reason was that the account I
> was using for the service didn't have the "Logon as service" user right.
> Which was puzzeling given that csih calls editrights to add this user
> right.
> 
> It turned out that the following test in cygwin-service-installation-helper.sh
> is incorrect (line 2264):
> 
>   if ! csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${user}.?$"
> 
> The problem occurs if the user account is a domain account.  In that
> case membership in the local administrators group is often only
> indirectly given by being the member in a domain group which in turn
> is member in the Administrators group.  Example:
> 
>   "DOMAIN\user" is member of "DOMAIN\Domain Admins"
>   "DOMAIN\Domain Admins" is member of "Administrators"
> 
> However, the `net localgroup' command does not resolve group memberships.
> `net localgroup Administrators' on a domain member machine returns:
> 
>   Alias name     Administrators
>   Comment        [...blah...]
> 
>   Members
> 
>   -----------------------------------
>   Administrator
>   VINSCHEN\Domain Admins
>   The command completed successfully.
> 
> Calling `net localgroup Administrators /domain' isn't sufficient either,
> since it also doesn't return indirect memberships.
> 
> Therefore I think the test for being a member of the admins group is
> invalid and should just go away.  The current behaviour is too surprising
> in a domain environment.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat