X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 9 Apr 2008 14:09:56 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.3-1
Message-ID: <20080409120956.GH23852@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <announce DOT 47F41D60 DOT 9060102 AT cwilson DOT fastmail DOT fm> <47F46137 DOT 5020008 AT cwilson DOT fastmail DOT fm> <20080403085527 DOT GL4468 AT calimero DOT vinschen DOT de> <20080407152955 DOT GQ23852 AT calimero DOT vinschen DOT de> <47FAC142 DOT 6040508 AT cwilson DOT fastmail DOT fm> <47FB00C5 DOT 3020803 AT cwilson DOT fastmail DOT fm> <20080408081208 DOT GU23852 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20080408081208.GU23852@calimero.vinschen.de>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Apr  8 10:12, Corinna Vinschen wrote:
> On Apr  8 01:21, Charles Wilson wrote:
> > Well, I'm waiting for answers to the questions here:
> >   http://cygwin.com/ml/cygwin/2008-04/msg00211.html
> > from Corinna and Yaakov, but in the meantime:
> >
> > Here's a version of ssh-user-config that works with CVS csih (what will 
> > become 0.1.4 very soon).
> 
> Cool, thanks!  
> 
> I'll have a look,
> Corinna

Looks ok, but I have a few questions/comments.

- When the script starts, the following text appears:

*** Info: You appear to be running Windows 2003 Server or later.  On 2003 and
*** Info: later systems, it's not possible to use the LocalSystem account
*** Info: for services that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create a new
*** Info: account with special privileges (unless a similar account already exists).
*** Info: This account is then used to run these special servers.

*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.

*** Info: The following privileged accounts were found: 'cyg_server' .

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will not be able to log on interactively, but will only
*** Info: be used by registered services.
*** Query: Do you want to use different name? (yes/no) no

The query "Do you want to use different name?" is a bit upside down,
IMHO.  The query should be rather phrased positively "Do you want to use 
t name?"

However, I think the whole message is too noisy and confusing for
non-admins.  The default user doesn't actually know which user name the
sshd service is running under.  Additionally, given that Cygwin opens
files always with BACKUP_INTENT for a while anyway, and given that the
service account is a member of the administrators group, which has
backup user rights, there's not much reason anymore to add the service
account to the ACL.  I fear that's just old cruft in the ssh-user-script.

But, here's a question:  Shouldn't the csih_privileged_accounts() function
check the service itself, rather than testing possible names with `net
user'?  It would be as simple as giving csih_privileged_accounts the
service name as $1 argument, and then extract the user name with something
along the lines of

  svc_user=$(regtool get '/HKLM/SYSTEM/CurrentControlSet/Services/$1/ObjectName')
  svc_user="${svc_user/\.\\/$COMPUTERNAME}"
  svc_user=$([ "$svc_user" = "LocalSystem" ] && echo "SYSTEM" || echo $(fgrep "${svc_user}" /etc/passwd | cut -d: -f 1))


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/