Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On 12/18/2012 05:57 AM, Andrey Repin wrote: what about '-w -' or a long-only option like --null-pwd? I'd say, the latter. -w - looks like you are trying to read password from STDIN. I heartily concur for two reasons: 1) '-w -' really looks like like stdin/out 2) '-' is actually a valid password Let's go for --null-pwd bartels -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Dec 18 10:45, bartels wrote: On 12/18/2012 05:57 AM, Andrey Repin wrote: what about '-w -' or a long-only option like --null-pwd? I'd say, the latter. -w - looks like you are trying to read password from STDIN. I heartily concur for two reasons: 1) '-w -' really looks like like stdin/out 2) '-' is actually a valid password Let's go for --null-pwd Btw., this is an open source project, guys: cvs -d :pserver:anon...@sourceware.org:/cvs/cygwin-apps co cygrunsrv http://cygwin.com/acronyms/#PTC Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Dec 14 16:23, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote: http://cygwin.com/ml/cygwin/2012-12/msg00154.html Thanks. I'm wondering if it's such a bright idea to use a NULL password based on a check for a certain domain. That's practically guaranteed to break at one point again. I don’t think Microsoft is going to drop NT SERVICE\ in any near future (they've just had the feature introduced!). This is the only domain that needs to be treated specially (for now). That's not how I understand the documentation: http://technet.microsoft.com/en-us/library/dd548356.aspx Virtual accounts use the NT SERVICE domain, but managed accounts seem to be subsumed under your normal AD domain name. !pass || pass[0] == '\0' MSDN says that password-less accounts must provide an empty string (and it does not mention NULL). More cumbersome logic can involve checking for both the special domain and empty/NULL password (as above), resulting in NULL lpPassword only when both checks have been met. what about something like `-w NULL'? I would not vote for this. This precludes that the string NULL cannot be used as an otherwise regular password. Apart from the fact that NULL is a terrible password, I'd still be more comfortable to allow a NULL password as a user defined option on the command line. If not -W NULL, what about '-w -' or a long-only option like --null-pwd? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
RE: Cygrunsrv and special Windows virtual accounts NT SERVICE
what about '-w -' or a long-only option like --null-pwd? I'd be happy with either! Thanks, Anton Lavrentiev Contractor NIH/NLM/NCBI
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
Greetings, Corinna Vinschen! Apart from the fact that NULL is a terrible password, I'd still be more comfortable to allow a NULL password as a user defined option on the command line. If not -W NULL, what about '-w -' or a long-only option like --null-pwd? I'd say, the latter. -w - looks like you are trying to read password from STDIN. -- WBR, Andrey Repin (anrdae...@freemail.ru) 18.12.2012, 08:55 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
RE: Cygrunsrv and special Windows virtual accounts NT SERVICE
Just checking whether this is going to be implemented... Thanks, Anton Lavrentiev Contractor NIH/NLM/NCBI -Original Message- Sent: Friday, December 07, 2012 11:50 AM Subject: RE: Cygrunsrv and special Windows virtual accounts NT SERVICE per the bad user/pass combo, presumably). Per MSDN, http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx : If the account name specified by the lpServiceStartName parameter is the name of a managed service account or virtual account name, the lpPassword parameter must be NULL. But cygrunsrv passes either or the actual string (when any username is provided). It should pass NULL for the usernames that look like NT SERVICE\svcname: if (!(sh = CreateService (sm, san.name (), disp, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS | (interactive ? SERVICE_INTERACTIVE_PROCESS : 0), type == Auto ? SERVICE_AUTO_START : SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, mypath, NULL, NULL, dependencies, username, username ? pass ?: : NULL))) Anton Lavrentiev Contractor NIH/NLM/NCBI
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Dec 14 16:01, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote: Just checking whether this is going to be implemented... http://cygwin.com/ml/cygwin/2012-12/msg00154.html Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
RE: Cygrunsrv and special Windows virtual accounts NT SERVICE
http://cygwin.com/ml/cygwin/2012-12/msg00154.html Thanks. I'm wondering if it's such a bright idea to use a NULL password based on a check for a certain domain. That's practically guaranteed to break at one point again. I don’t think Microsoft is going to drop NT SERVICE\ in any near future (they've just had the feature introduced!). This is the only domain that needs to be treated specially (for now). !pass || pass[0] == '\0' MSDN says that password-less accounts must provide an empty string (and it does not mention NULL). More cumbersome logic can involve checking for both the special domain and empty/NULL password (as above), resulting in NULL lpPassword only when both checks have been met. what about something like `-w NULL'? I would not vote for this. This precludes that the string NULL cannot be used as an otherwise regular password. Anton Lavrentiev Contractor NIH/NLM/NCBI
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Fri, Dec 14, 2012 at 05:06:16PM +0100, Corinna Vinschen wrote: On Dec 14 16:01, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote: Just checking whether this is going to be implemented... http://cygwin.com/ml/cygwin/2012-12/msg00154.html So you're working on it? cgf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Dec 7 16:49, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote: per the bad user/pass combo, presumably). Per MSDN, http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx : If the account name specified by the lpServiceStartName parameter is the name of a managed service account or virtual account name, the lpPassword parameter must be NULL. But cygrunsrv passes either or the actual string (when any username is provided). It should pass NULL for the username that look like NT SERVICE\svcname: if (!(sh = CreateService (sm, san.name (), disp, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS | (interactive ? SERVICE_INTERACTIVE_PROCESS : 0), type == Auto ? SERVICE_AUTO_START : SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, mypath, NULL, NULL, dependencies, username, username ? pass ?: : NULL))) I'm wondering if it's such a bright idea to use a NULL password based on a check for a certain domain. That's practically guaranteed to break at one point again. Is it worth at all to support empty passwords? If not, we could always use NULL if !pass || pass[0] == '\0'. Or, alternatively, what about something like `-w NULL'? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Cygrunsrv and special Windows virtual accounts NT SERVICE
Hi all, I have a suggestion that cygrunsrv doesn't ask for any password with the option -u (and -w not provided), if the specified user is like NT SERVICE\svcname, where svcname is the service being added. Otherwise, cygrunsrv is not self-sufficient for defining a service, and has to be further supplemented with a patch using the native SC command. Yet having every service to run under the privileged LocalSystem account is not always justified. So, instead of having to do a two-step process: cygrunsrv -I svcname ... sc config svcname obj= NT SERVICE\svcname everything could be done in one command: cygrunsrv -I svcname -u NT SERVICE\svcname ... Thanks, Anton Lavrentiev Contractor NIH/NLM/NCBI See: http://msdn.microsoft.com/en-us/library/ms143504.aspx#New_Accounts -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Cygrunsrv and special Windows virtual accounts NT SERVICE
On Dec 7 13:30, Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote: Hi all, I have a suggestion that cygrunsrv doesn't ask for any password with the option -u (and -w not provided), if the specified user is like NT SERVICE\svcname, where svcname is the service being added. Otherwise, cygrunsrv is not self-sufficient for defining a service, and has to be further supplemented with a patch using the native SC command. Yet having every service to run under the privileged LocalSystem account is not always justified. So, instead of having to do a two-step process: cygrunsrv -I svcname ... sc config svcname obj= NT SERVICE\svcname everything could be done in one command: cygrunsrv -I svcname -u NT SERVICE\svcname ... What about cygrunsrv -I svcname -u NT SERVICE\svcname -p '' ? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
RE: Cygrunsrv and special Windows virtual accounts NT SERVICE
cygrunsrv -I svcname -u NT SERVICE\svcname -p '' I'm not quite sure I follow your suggestion: -p is for path to the actual executable that implements the background process If you meant -w '' (or as documentation suggests '-w ') then it does not work for some reason -- cygrunsrv cannot install the service (per the bad user/pass combo, presumably). Anton Lavrentiev Contractor NIH/NLM/NCBI
RE: Cygrunsrv and special Windows virtual accounts NT SERVICE
per the bad user/pass combo, presumably). Per MSDN, http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx : If the account name specified by the lpServiceStartName parameter is the name of a managed service account or virtual account name, the lpPassword parameter must be NULL. But cygrunsrv passes either or the actual string (when any username is provided). It should pass NULL for the username that look like NT SERVICE\svcname: if (!(sh = CreateService (sm, san.name (), disp, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS | (interactive ? SERVICE_INTERACTIVE_PROCESS : 0), type == Auto ? SERVICE_AUTO_START : SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, mypath, NULL, NULL, dependencies, username, username ? pass ?: : NULL))) Anton Lavrentiev Contractor NIH/NLM/NCBI
