This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
To: cygwin at cygwin dot com
Date: Thu, 07 Aug 2008 12:59:29 -0400
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
References: <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm> <20080720122754.GP5675@calimero.vinschen.de> <20080720134054.GQ5675@calimero.vinschen.de> <4897AD74.8020606@cwilson.fastmail.fm> <20080807075806.GA30629@calimero.vinschen.de> <489B13F4.4030002@cwilson.fastmail.fm> <20080807154823.GI3806@calimero.vinschen.de> <489B20AC.9080902@cwilson.fastmail.fm> <20080807164241.GK3806@calimero.vinschen.de>

Corinna Vinschen wrote:

We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in both /etc/group and /etc/passwd, right?


Yes.  I'm just wondering if we shouldn't check for the Admins group
only.  The token of the SYSTEM user always contains the Admins group and
the cyg_server (or whatever the name is) user is always (and should
always) be created as member of the admins group, too.  So, if I didn't
miss anything important, the check could be reduced to checking for the
admins group permissions.  Does that make sense?

It makes sense -- if the following assertion is true for NT/2k/XP, as well as more modern versions of Windows, for both cygwin-1.5 and cygwin-1.7:

Admins group access to a file (-...[rwx]... as specified by $2 if group ownership of the file is Administrators, or a sufficient group token in the extended ACLs is present as determined by getfacl) is necessary and sufficient for the SYSTEM user (and/or the special privileged user) to access the file, regardless of the file's actual owner.

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)]
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen

References:
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Charles Wilson
- Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]