This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1


On Apr  8 10:12, Corinna Vinschen wrote:
> On Apr  8 01:21, Charles Wilson wrote:
> > Well, I'm waiting for answers to the questions here:
> >   http://cygwin.com/ml/cygwin/2008-04/msg00211.html
> > from Corinna and Yaakov, but in the meantime:
> >
> > Here's a version of ssh-user-config that works with CVS csih (what will 
> > become 0.1.4 very soon).
> 
> Cool, thanks!  
> 
> I'll have a look,
> Corinna

Looks ok, but I have a few questions/comments.

- When the script starts, the following text appears:

*** Info: You appear to be running Windows 2003 Server or later.  On 2003 and
*** Info: later systems, it's not possible to use the LocalSystem account
*** Info: for services that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create a new
*** Info: account with special privileges (unless a similar account already exists).
*** Info: This account is then used to run these special servers.

*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.

*** Info: The following privileged accounts were found: 'cyg_server' .

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will not be able to log on interactively, but will only
*** Info: be used by registered services.
*** Query: Do you want to use different name? (yes/no) no

The query "Do you want to use different name?" is a bit upside down,
IMHO.  The query should be rather phrased positively "Do you want to use 
t name?"

However, I think the whole message is too noisy and confusing for
non-admins.  The default user doesn't actually know which user name the
sshd service is running under.  Additionally, given that Cygwin opens
files always with BACKUP_INTENT for a while anyway, and given that the
service account is a member of the administrators group, which has
backup user rights, there's not much reason anymore to add the service
account to the ACL.  I fear that's just old cruft in the ssh-user-script.

But, here's a question:  Shouldn't the csih_privileged_accounts() function
check the service itself, rather than testing possible names with `net
user'?  It would be as simple as giving csih_privileged_accounts the
service name as $1 argument, and then extract the user name with something
along the lines of

  svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
  svc_user="${svc_user/\.\\/$COMPUTERNAME}"
  svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]