Setup with the new ntsec support has been released for a week.
Since then I have not seen any permission issues on the list.
Markus Schönhaber has been very helpful in testing various
configurations. After analyzing them I propose some extra
improvements:
The main issue is the name "setup.exe" itself, which induces
Windows to launch a Run As pop up when setup is run by
non-privileged users. Answering "yes" allows to set system mounts and
to install Cygwin almost anywhere but it has several drawbacks:
1) Domain users are not included in /etc/passwd
2) The Administrator account may not have Restore privilege
and chown may fail in postinstall scripts.
3) ls -l may show files without rx access for the user running setup
if the Administrator account is not in Users and if the directory
inheritance does not give rx access to Everyone (I have observed
the two events separately but never together).
I believe setup would be more newbie friendly if the name was
changed :(
The patch below also introduces two changes:
1) Currently setup only attempts to change its default group to Users
(or Administrators) if it is None. The patch tries all the time.
I have not seen a case where it would hurt. There are typical scenarios
where it helps, for example when inheritance gives rx access to Users
but not to Everyone nor to the current user's group.
2) When setup is launched from Windows (but not from Cygwin) by a
privileged user, files are owned by Administrators. This can lead to
perceived access restrictions for the current user. Also this feature
generates questions on the list. The patch always gives ownership
to the current user (already the case when running from Cygwin).
Pierre
2003-03-19 Pierre Humblet <[EMAIL PROTECTED]>
* main.cc (set_default_sec): Set token owner from token user.
Always try to set the token primary group to Users or Admins.Index: main.cc
===================================================================
RCS file: /cvs/cygwin-apps/setup/main.cc,v
retrieving revision 2.25
diff -u -p -r2.25 main.cc
--- main.cc 28 Feb 2003 23:42:09 -0000 2.25
+++ main.cc 20 Mar 2003 00:40:35 -0000
@@ -104,16 +104,14 @@ set_default_sec ()
return;
}
- PSID esid = NULL, asid = NULL, usid = NULL;
+ PSID esid = NULL, asid = NULL, usid = NULL, nsid = NULL;
HANDLE token = NULL;
struct {
PSID psid;
char buf[MAX_SID_LEN];
- } gsid;
- char lsid[MAX_SID_LEN];
- char compname[MAX_COMPUTERNAME_LENGTH + 1];
- char domain[MAX_COMPUTERNAME_LENGTH + 1];
+ } osid;
DWORD size;
+ bool isadmins = false, isusers = false;
SID_IDENTIFIER_AUTHORITY sid_auth = { SECURITY_WORLD_SID_AUTHORITY };
if (!AllocateAndInitializeSid (&sid_auth, 1, 0, 0, 0, 0, 0, 0, 0, 0, &esid))
@@ -148,105 +146,78 @@ set_default_sec ()
GetLastError () << endLog;
- /* Get the default group */
- if (!GetTokenInformation (token, TokenPrimaryGroup, &gsid, sizeof gsid, &size))
+ /* Get the user */
+ if (!GetTokenInformation (token, TokenUser, &osid, sizeof osid, &size))
{
log (LOG_TIMESTAMP) << "GetTokenInformation() failed: " <<
GetLastError () << endLog;
goto out;
}
- /* Get the computer name */
- if (!GetComputerName (compname, (size = sizeof compname, &size)))
+ /* Make it the owner */
+ if (!SetTokenInformation (token, TokenOwner, &osid, sizeof osid))
+ log (LOG_TIMESTAMP) << "SetTokenInformation() failed: " <<
+ GetLastError () << endLog;
+
+ sid_auth = (SID_IDENTIFIER_AUTHORITY) { SECURITY_NT_AUTHORITY };
+ /* Get the SID for "Administrators" S-1-5-32-544 */
+ if (!AllocateAndInitializeSid (&sid_auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &asid))
{
- log (LOG_TIMESTAMP) << "GetComputerName() failed: " <<
+ log (LOG_TIMESTAMP) << "AllocateAndInitializeSid() failed: " <<
GetLastError () << endLog;
goto out;
}
-
- /* Get the local domain SID */
- SID_NAME_USE use;
- DWORD sz;
- if (!LookupAccountName (NULL, compname, lsid, (size = sizeof lsid, &size),
- domain, (sz = sizeof domain, &sz), &use))
+ /* Get the SID for "Users" S-1-5-32-545 */
+ if (!AllocateAndInitializeSid (&sid_auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &usid))
{
- log (LOG_TIMESTAMP) << "LookupAccountName() failed: " <<
+ log (LOG_TIMESTAMP) << "AllocateAndInitializeSid() failed: " <<
GetLastError () << endLog;
goto out;
}
-
- /* Create the None SID from the domain SID.
- On NT the last subauthority of a domain is -1 and it is replaced by the RID.
- On other systems the RID is appended. */
- sz = *GetSidSubAuthorityCount (lsid);
- if (*GetSidSubAuthority (lsid, sz -1) != (DWORD) -1)
- *GetSidSubAuthorityCount (lsid) = ++sz;
- *GetSidSubAuthority (lsid, sz -1) = DOMAIN_GROUP_RID_USERS;
-
- /* See if the group is None */
- if (EqualSid (gsid.psid, lsid))
- {
- bool isadmins = false, isusers = false;
- sid_auth = (SID_IDENTIFIER_AUTHORITY) { SECURITY_NT_AUTHORITY };
- /* Get the SID for "Administrators" S-1-5-32-544 */
- if (!AllocateAndInitializeSid (&sid_auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &asid))
- {
- log (LOG_TIMESTAMP) << "AllocateAndInitializeSid() failed: " <<
- GetLastError () << endLog;
- goto out;
- }
- /* Get the SID for "Users" S-1-5-32-545 */
- if (!AllocateAndInitializeSid (&sid_auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &usid))
- {
- log (LOG_TIMESTAMP) << "AllocateAndInitializeSid() failed: " <<
- GetLastError () << endLog;
- goto out;
- }
- /* Get the token groups */
- if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size)
- && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+ /* Get the token groups */
+ if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size)
+ && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+ {
+ log (LOG_TIMESTAMP) << "GetTokenInformation() failed: " <<
+ GetLastError () << endLog;
+ goto out;
+ }
+ else
+ {
+ char buf[size];
+ TOKEN_GROUPS *groups = (TOKEN_GROUPS *) buf;
+
+ if (!GetTokenInformation (token, TokenGroups, buf, size, &size))
{
log (LOG_TIMESTAMP) << "GetTokenInformation() failed: " <<
GetLastError () << endLog;
goto out;
}
- else
- {
- char buf[size];
- TOKEN_GROUPS *groups = (TOKEN_GROUPS *) buf;
-
- if (!GetTokenInformation (token, TokenGroups, buf, size, &size))
- {
- log (LOG_TIMESTAMP) << "GetTokenInformation() failed: " <<
- GetLastError () << endLog;
- goto out;
- }
- else
- /* See if admins or users is present */
- for (DWORD pg = 0; pg < groups->GroupCount; ++pg)
- {
- isadmins = isadmins || EqualSid(groups->Groups[pg].Sid, asid);
- isusers = isusers || EqualSid(groups->Groups[pg].Sid, usid);
- }
- }
- /* Set the default group to one of the above computed SID. */
- PSID nsid = NULL;
- if (isusers)
- {
- nsid = usid;
- log(LOG_TIMESTAMP) << "Changing gid to Users" << endLog;
- }
- else if (isadmins)
- {
- nsid = asid;
- log(LOG_TIMESTAMP) << "Changing gid to Administrators" << endLog;
- }
- if (nsid && !SetTokenInformation (token, TokenPrimaryGroup, &nsid, sizeof nsid))
- log (LOG_TIMESTAMP) << "SetTokenInformation() failed: " <<
- GetLastError () << endLog;
+ else
+ /* See if admins or users is present */
+ for (DWORD pg = 0; pg < groups->GroupCount; ++pg)
+ {
+ isadmins = isadmins || EqualSid(groups->Groups[pg].Sid, asid);
+ isusers = isusers || EqualSid(groups->Groups[pg].Sid, usid);
+ }
+ }
+ /* Set the default group to one of the above computed SID. */
+ if (isusers)
+ {
+ nsid = usid;
+ log(LOG_TIMESTAMP) << "Changing gid to Users" << endLog;
+ }
+ else if (isadmins)
+ {
+ nsid = asid;
+ log(LOG_TIMESTAMP) << "Changing gid to Administrators" << endLog;
}
+ if (nsid && !SetTokenInformation (token, TokenPrimaryGroup, &nsid, sizeof nsid))
+ log (LOG_TIMESTAMP) << "SetTokenInformation() failed: " <<
+ GetLastError () << endLog;
+
out:
/* Close token handle. */
if (token)
