Corinna Vinschen wrote:
No, the above lines are checking for the passwd entry for the
administrators group. S-1-5-32-544 is the SID of that group.
The SID for the Administrator user is S-1-5-21-X-Y-Z-500.
D'oh. Right.
Now, about csih_check_access() -- without exact knowledge of
csih_ADMINSUID, csih_SYSTEMUID, csih_ADMINSGID, and csih_SYSTEMGID, then
the whole csih_check_access() test can't be computed.
If you make those GID/UID vars "optional" (e.g. not a failure if missing),
and then skip the relevant tests in csih_check_access, you might as well
just abandon the test entirely. Is that what we want to do? Never bother
to check for SYSTEM/Administrator access to the specified files?
e.g.
/var/run
/var/log
/var/empty
Somehow that doesn't seem right.
Well, hmm. In theory, admins have backup/restore rights anyway.
However, I was just thinking that csih should get rid of points of
failure which are not entirely necessary, like the checks for denied
user rights. If you think the test is necessary, just stick to it.
Well, part of the purpose of the foo-config scripts is to diagnose -- if
the foo-config script succeeds without error, then one would expect that
the installed service will, in fact, operate correctly. It's much worse
to have a user run ssh-host-config which /apparently/ succeeds, only to
have the service fail to start or operate correctly.
So, I think /some/ version of this test should remain. However, if the
Administrators GROUP is not present in the /etc/passwd file -- that's
not a failure, so long as the Administrator and/or SYSTEM have the
desired access to the file (as well as the file's owner).
So, I can see csih_get_system_and_admins_ids() reporting success if it
finds these three: ADMIN-GID, SYSTEM-GID, and SYSTEM-UID, and treating
ADMIN-UID (e.g. -544 in /etc/passwd) as a non-failure if missing.
Then, csih_check_access (and all other users of ADMIN-UID) would
special-case against empty.
We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in
both /etc/group and /etc/passwd, right?
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
