Charles Wilson wrote:
Corinna Vinschen wrote:
We can require Administrators (-544) in /etc/group, and SYSTEM (-18)
in both /etc/group and /etc/passwd, right?
Yes. I'm just wondering if we shouldn't check for the Admins group
only. The token of the SYSTEM user always contains the Admins group and
the cyg_server (or whatever the name is) user is always (and should
always) be created as member of the admins group, too. So, if I didn't
miss anything important, the check could be reduced to checking for the
admins group permissions. Does that make sense?
It makes sense -- if the following assertion is true for NT/2k/XP, as
well as more modern versions of Windows, for both cygwin-1.5 and
cygwin-1.7:
Admins group access to a file (-...[rwx]... as specified by $2 if group
ownership of the file is Administrators, or a sufficient group token in
the extended ACLs is present as determined by getfacl) is necessary and
sufficient for the SYSTEM user (and/or the special privileged user) to
access the file, regardless of the file's actual owner.
Well, the changes are piling up in this release, so all I implemented
with regards to this specific issue was
(1) csih_get_system_and_admins_ids() doesn't fail if it can't find
the Administrators group entry in /etc/passwd
(2) csih_check_access() skips checking if the file is owned by the
Adminstrators group when csih_ADMINSUID is empty.
We can address the finer points of this issue -- and probably others --
in 0.1.7.
I've uploaded csih-0.1.6 as a test release, but I do not imagine it will
survive to curr: without changes. (e.g. it is most likely broken. I hope
not, but...my testing environment is limited.) Please test and send
patches for a better 0.1.7. Also see FIXME in
csih_create_unprivileged_user.
Here's the change log and news:
NEWS
* more permissions tweaks for privileged user:
See http://cygwin.com/ml/cygwin/2008-06/msg00453.html
Users of earlier versions of csih may need to manually
adjust their existing privileged users. Again:
editrights -r SeDenyNetworkLogonRight -u cyg_server
editrights -r SeDenyInteractiveLogonRight -u cyg_server
editrights -r SeIncreaseQuotaPrivilege -u cyg_server
* Even on NT/2k/XP, prefer to use "privileged" user (cyg_server,
sshd_server, cron_server, etc) if a suitable such user already
exists. If not, then for these older OS's, fall back to SYSTEM.
As always, by setting csih_FORCE_PRIVILEGED_USER -- usually done
by the calling script via a command line argument, such as
/usr/bin/iu-config -privileged
the user can force NT/2k/XP to behave as Vista or Server2008: a
privileged user is required, and if one does not exist it will
be created.
* Also accept privileged accounts that exist only in /etc/passwd and
are not present in the local SAM. That is, accept pre-existing
privileged domain accounts.
* New utility program: getVolInfo
http://cygwin.com/ml/cygwin/2007-08/msg00040.html
* New function: csih_path_supports_acls() returns 0 (success)
if the specified path is located on a volume that supports
ACLs. Uses getVolInfo. Behavior can be modified, when getVolInfo
is incorrect, by setting user-accessible variables:
csih_WIN32_VOLS_WITH_ACLS
csih_WIN32_VOLS_WITHOUT_ACLS
which each may contain ;-separated lists of win32 paths,
specifying volumes in the relevant category.
* It is no longer a fatal error if, when checking the
permissions or access rights of a file or directory, the
target is located on a volume that does not support ACLs.
A warning is issued, but operation continues.
* The Administrators group is no longer required to be in
/etc/passwd. However, it is still required in /etc/group.
SYSTEM is (still) required in both /etc/passwd and /etc/group.
ChangeLog
2008-08-07 Charles Wilson <...>
Add getVolInfo utility program. Use it to avoid
checking permissions on volumes that do not support ACLs.
* csih.sh (main): update documentation.
(csih_WIN32_VOLS_WITH_ACLS): new client-accessible var.
(csih_WIN32_VOLS_WITHOUT_ACLS): ditto.
(csih_path_supports_acls): new function.
(_csih_convert_w32vol_to_shell_pattern): new function.
(_csih_path_in_volumelist_core): new function.
(_csih_path_in_volumelist): new function.
(csih_get_system_and_admins_ids): update comments.
No longer an error if Administrators group is not found
in /etc/passwd.
(_csih_warning_for_win9x_perms): new function.
(_csih_warning_for_missing_ACL_support): new function.
(csih_check_dir_perms): bail out early (returning success
but with a warning) if on OS older than windows NT, or the
specified file/dir is on a volume that does not support ACLs.
(csih_check_access): ditto. Also, improve comments. If
csih_ADMINSUID is empty, gracefully skip checking if file/dir
is owned by the Administrators group.
* cygwin/Makefile: new file.
* cygwin/getVolInfo.c: new file.
* COPYING: update documentation.
* NEWS: update documentation.
2008-08-04 Charles Wilson <...>
Accept pre-existing privileged domain accounts.
Default to privileged account on NT/2k/XP if exist.
* csih.sh (csih_privileged_accounts): Always look
for privileged users if NT or better. Look in both
/etc/passwd and local SAM.
(csih_privileged_account_exists): Update documentation
to reflect behavior change inherited from above.
(csih_select_privileged_username): Attempt to return
a username even on NT/2k/XP (but default to empty if
no pre-existing privileged user on those OS's). Be more
specific in the informational messages emitted. Look
in both /etc/passwd and local SAM for accounts, if user
specified one we don't know about already.
(csih_create_privileged_user): Improve comments.
(csih_create_unprivileged_user): Improve comments.
See FIXME! (remove this line from ChangeLog when resolved)
(csih_service_should_run_as): Improve comments. Check
both /etc/passwd and local SAM if "answer" is an account
that did not exist when script was launched. For NT/2k/XP,
default to pre-existing privileged user (if one exists), and
only report SYSTEM otherwise.
* NEWS: Document new behavior
2008-07-19 Corinna Vinschen <...>
* csih.sh (csih_account_has_necessary_privileges): Don't
explicitely test for SeDenyXXX rights, nor for
SeIncreaseQuotaPrivilege.
(csih_create_privileged_user): Drop setting
SeDenyInteractiveLogonRight and SeIncreaseQuotaPrivilege.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
