Hi to all, I'm sure you already saw this sort of discussion arising on the Cygwin list, which basically says, "I can't run sshd/cron/whatever" as service on 2003 Server".
The reason is that 2003 drops the CreateToken privilege from all services running under LocalSystem account, hence the inability to switch user context without password. The week before I've created a solution for sshd, namely an improved ssh-host-config script, which creates a user called "sshd_server" with the appropriate privileges to run sshd under. As it turned out fairly quickly now, this was a short-sighted approach. I forgot entirely that other services will suffer from the same problem. So, what we need is a general approach. My idea is basically the following: - On all NT systems, create a user account called "root" which is member of the administrators group. - Always add "root" with uid 0 to /etc/passwd. - Always add a "root" entry with gid 0 to /etc/group, which on NT systems has the SID of the administrators group. The advantage of this is that new packages could expect having a root account and a root group with uid and gid 0. So account specific rules in a lot of U*X-centric packages could mostly stay as they are as a first approximation. How could that be implemented? - The default postinstall creates always the "root" group entry in /etc/group. It also creates a "root" user entry if a user "root" exists (that's done by mkpasswd already). But it also creates a "root" user in /etc/passwd if it not exists in the NT SAM, as a placeholder with a hint in the password field "DON'T TOUCH". - Add a script to the base-files or base-passwd package, which creates the "root" user according to the above rules. This script could be called, say, /usr/sbin/create-root. How it could work can be seen in /usr/bin/ssh-host-config. - From service installation scripts (like ssh-host-config), call that script instead of doing it by itself. - All services should (or may) expect to run under that "root" account with uid and gid 0. Of course, this would require all maintainers of packages, which provide a service, to change their package accordingly. Comments? If we agree to do as above (or similar), I would gladly appreciate, if I wouldn't have to do it alone. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:[EMAIL PROTECTED] Red Hat, Inc.
