On Thu, Nov 27, 2003 at 11:24:55AM +0100, Corinna Vinschen wrote:
> On Thu, Nov 27, 2003 at 09:58:52AM -0000, Morrison, John wrote:
> > Corinna Vinschen wrote:
> > > I don't know exactly
> > > but it's possible that W2K doesn't have these SeDenyWhatever user
> > > rights.
> >
> > editrights -a SeDenyRemoteInteractiveLogonRight -u root
> >
> > was the one that failed. Would it be best (assuming these
> > last 3 are optional) to 2> /dev/null them? Is there any other info
> > that would help?
>
> Er... only this one? Hmm, that makes sense, sort of. Look like
> this right only exist since XP.
>
> I'm reluctant to devnull them. There might be a real error covered
> when doing this. I'll better add another variable to check if running
> under XP or newer.
ping! ping! ping!
New create-root script attached!
This script should do it right now. Additionally I changed the way
how the password is read to using the `read -s' option to hide what's
actually typed in.
Can you give this script another test?
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/bash
#
# create-root, Copyright 2003 Red Hat Inc.
#
# This file is part of Cygwin.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
progname=$0
auto_answer=""
port_number=22
request()
{
if [ "${auto_answer}" = "yes" ]
then
echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
echo "$1 (yes/no) no"
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates a "root" user which has appropriate privileges"
echo "to run services which need to switch user context without password."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'root'."
echo
exit 1
;;
esac
done
# Check if running on NT
uname | grep -q CYGWIN_NT && _nt=yes
# If not running on NT, nothing to do
if [ ${_nt} != "yes" ]
then
echo "Nothing to do on 9x/Me."
exit 0
fi
# Check if running under NT5 or later
_nt5=`uname | awk -F- '{print ( $2 >= 5.0 ) ? "yes" : "no";}'`
# Check if running under NT5.1 or later
_nt5_1=`uname | awk -F- '{print ( $2 > 5.0 ) ? "yes" : "no";}'`
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
echo
echo
echo "Warning: The following functions require administrator privileges!"
echo
# Check if a user root is already in /etc/passwd.
grep -q '^root:' ${SYSCONFDIR}/passwd && root_in_passwd=yes
# Drop root from passwd since it could have wrong settings.
if [ "${root_in_passwd}" = "yes" ]
then
grep -v '^root:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
rm -f ${SYSCONFDIR}/passwd
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
chmod g-w,o-w ${SYSCONFDIR}/passwd
fi
# Drop root from group file since it could have wrong settings.
# Inject a correct entry instead.
echo 'root:S-1-5-32-544:0:' > ${SYSCONFDIR}/group.$$
grep -v '^root:' ${SYSCONFDIR}/group >> ${SYSCONFDIR}/group.$$
rm -f ${SYSCONFDIR}/group
mv ${SYSCONFDIR}/group.$$ ${SYSCONFDIR}/group
chmod g-w,o-w ${SYSCONFDIR}/group
# Get local name of administrators group.
_admingroup=`mkgroup -l | awk -F: '/:544:/{print $1;}'`
# Check if a user root exists on the system.
net user root >/dev/null 2>&1 && root_in_sam=yes
if [ "${root_in_sam}" = "yes" ]
then
echo
echo "You already have a user 'root' on your system. Is that user supposed"
if ! request "to be used as the required privileged user account?"
then
echo
echo "In that case, this script can't do its job. Either rename the"
echo "user called 'root' or create a 'root' entry in ${SYSCONFDIR}/passwd,"
echo "using a user with appropriate privileges."
exit 1
fi
else
# Create a local root user.
mkdir -p /home/root
dos_var_empty=`cygpath -w /home/root`
while [ "${root_in_sam}" != "yes" ]
do
if [ -n "${password_value}" ]
then
_password="${password_value}"
# Allow to ask for password if first try fails
password_value=""
else
echo
echo "Please enter a password for new user 'root'. Please be sure that"
echo "this password matches the password rules given on your system."
echo "Entering no password will exit the configuration."
while [ -z "$_password" -o "$_password" != "$_password_check" ]
do
echo
read -s -e -p "Password: " _password
echo
if [ -z "${_password}" ]
then
echo
echo "Exiting configuration. No user root has been created."
exit 1
fi
read -s -e -p "Reenter password: " _password_check
echo
if [ "$_password" != "$_password_check" ]
then
echo
echo "Sorry, passwords do not match. Try again."
fi
done
fi
net user root "${_password}" /add /fullname:"Cygwin root account"
"/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && root_in_sam=yes
if [ "${root_in_sam}" != "yes" ]
then
echo "Creating the user 'root' failed! Reason:"
cat /tmp/nu.$$
rm /tmp/nu.$$
fi
done
fi
# Check if root is already member of the local administrators group.
net localgroup administrators | egrep -q '\<root\>' && root_in_admingroup=yes
# Otherwise add root to the local administrators group.
if [ "${root_in_admingroup}" != "yes" ]
then
net localgroup "${_admingroup}" root /add > /dev/null 2>&1 && root_in_admingroup=yes
if [ "${root_in_admingroup}" != "yes" ]
then
echo "WARNING: Adding user root to local group ${_admingroup} failed!"
echo "Please add root to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
else
echo
echo "User 'root' has been created with password '${_password}'."
echo "If you change the password, please keep in mind to change the password"
echo "for all services running under user 'root', too."
fi
fi
# Try setting the password expiry to "never". This requires a newer version
# of the passwd tool.
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" :
"no";}'`
if [ "${passwd_has_expiry_flags}" != "yes" ]
then
echo
echo "WARNING: User root has password expiry set to system default."
echo "Please check that password never expires or set it to your needs."
else
if ! passwd -e root
then
echo
echo "WARNING: Setting password expiry for user root failed!"
echo "Please check that password never expires or set it to your needs."
fi
fi
# Create appropriate root entry with uid and gid 0 in /etc/passwd.
if [ "${root_in_sam}" = "yes" ]
then
mkpasswd -l -u root | sed -e 's/:[0-9]*:[0-9]*:/:0:0:/;s/bash$/false/' >>
${SYSCONFDIR}/passwd
fi
# Give user root the appropriate user rights.
editrights -a SeAssignPrimaryTokenPrivilege -u root &&
editrights -a SeCreateTokenPrivilege -u root &&
editrights -a SeIncreaseQuotaPrivilege -u root &&
editrights -a SeServiceLogonRight -u root &&
root_got_all_rights="yes"
# deny logon" rights only exist on W2K and higher.
if [ "${_nt5}" = "yes" ]
then
editrights -a SeDenyInteractiveLogonRight -u root
editrights -a SeDenyNetworkLogonRight -u root
# DenyRemoteInteractiveLogon only exists on XP and higher.
if [ "${_nt5_1}" = "yes" ]
then
editrights -a SeDenyRemoteInteractiveLogonRight -u root
fi
fi
if [ "${root_got_all_rights}" != "yes" ]
then
echo
echo "Assigning the appropriate privileges to user 'root' failed!"
echo "Please be sure to add these rights to user 'root' as soon as possible."
exit 1
fi
echo
echo "root configuration finished. Have fun!"
