Mail Archives: cygwin/2008/07/19/16:47:26
Corinna Vinschen wrote:
> However, I sent a second patch in
> http://cygwin.com/ml/cygwin/2008-06/msg00453.html
> The Interactive Logon Right is also necessary for this account.
I don't know why I missed that. I'll roll 0.1.6 soon.
> What also doesn't work well is this: In a domain I might want a
> cyg_server domain account, rather than a local account on each
> machine. The reason is that the rights of the domain account can
> be nicely controlled via group policy. That won't work for local
> accounts on the domain member machines. Therefore, if a cyg_server
> account exists in /etc/passwd, I think it should be used.
I'm afraid I have no access to a domain account on which I can test this
sort of thing (I mean, I /do/ have a domain account at work, but I can't
experiment with adding new domain accounts, nor manipulate their privileges.
This is the primary function that obtains a list of all "candidate"
privileged accounts (unless the user has already set
csih_PRIVILEGED_USERNAME)
csih_privileged_accounts()
{
csih_stacktrace "${@}"
$_csih_trace
local username
local accounts
local first_account
if ( csih_is_nt2003 || [ csih_is_nt -a "x$csih_FORCE_PRIVILEGED_USER"
= "xyes" ] )
then
if [ -z "${_csih_all_preexisting_privileged_accounts}" ]
then
for username in cyg_server cron_server sshd_server
do
if net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
if [ -n "${accounts}" ]
then
_csih_all_preexisting_privileged_accounts="${accounts}"
_csih_preferred_preexisting_privileged_account="${first_account}"
fi
fi
fi
} # === End of csih_privileged_accounts() === #
I imagine you are suggesting that the following loop:
for username in cyg_server cron_server sshd_server
do
if net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
Should be modified somehow, perhaps (UNTESTED):
for username in cyg_server cron_server sshd_server
do
if egrep "^${username}:" /etc/passwd 1>/dev/null 2>&1 ||
net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
However, note that at present there is no provision in csih to
"decorate" user names with domain information (e.g.
username="MyDomain\cyg_server". It /might/ work, if you manually set
csih_PRIVILEGED_USERNAME that way, but I haven't tested it -- and have
no way to do so. It would be serendipitous at best if that worked. But
I'm not sure you really /need/ that -- if the privileged domain user is
in the active domain of the computer on which you want to use that
privileged account (e.g. to run sshd)...which I imagine is the use case
under consideration here...I don't think you really /need/ to explicitly
specify the domain.
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -