Re: Bug in csih
On Feb 5 15:23, Charles Wilson wrote: On 1/16/2012 5:14 AM, Corinna Vinschen wrote: Chuck? Ping? How's this? (BTW, we do similar stuff in csih_create_privileged_user() but I didn't address that). That looks ok to me. As for csih_create_privileged_user, I don't see what you mean. In that function you just add the account to the local admins group, which is the right thing to do. Where, do you think, is the problem in csih_create_privileged_user? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: Bug in csih
On 2/6/2012 6:25 AM, Corinna Vinschen wrote: On Feb 5 15:23, Charles Wilson wrote: How's this? (BTW, we do similar stuff in csih_create_privileged_user() but I didn't address that). That looks ok to me. As for csih_create_privileged_user, I don't see what you mean. In that function you just add the account to the local admins group, which is the right thing to do. Where, do you think, is the problem in csih_create_privileged_user? Just that it, also, tries to figure out the name of the Administrator's group and add the newly-created user to it -- e.g. 'similar stuff'. But, as you say, this isn't really a problem in the context of creating a new (local) admin account. -- Chuck
Re: Bug in csih
On 1/16/2012 5:14 AM, Corinna Vinschen wrote: Chuck? Ping? How's this? (BTW, we do similar stuff in csih_create_privileged_user() but I didn't address that). Index: cygwin-service-installation-helper.sh === RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v retrieving revision 1.28 diff -u -p -r1.28 cygwin-service-installation-helper.sh --- cygwin-service-installation-helper.sh 13 Feb 2011 23:22:34 - 1.28 +++ cygwin-service-installation-helper.sh 5 Feb 2012 20:22:07 - @@ -2244,7 +2244,6 @@ csih_account_has_necessary_privileges() $_csih_trace local user=$1 - local admingroup= if [ -n ${user} ] then if csih_call_winsys32 net user ${user} /dev/null 21 @@ -2255,23 +2254,14 @@ csih_account_has_necessary_privileges() csih_warning Unable to ensure that '${user}' has the appropriate privileges. return 1 else -admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 == S-1-5-32-544 ) print $1;}') -if [ -z ${admingroup} ] -then - csih_warning Cannot obtain the Administrators group name from 'mkgroup -l'. - return 1 -fi -if ! csih_call_winsys32 net localgroup ${admingroup} | /usr/bin/grep -Eiq ^${user}.?$ -then - # user not in Administrators group - return 1 -else - /usr/bin/editrights -u ${user} -t SeAssignPrimaryTokenPrivilege /dev/null 21 - /usr/bin/editrights -u ${user} -t SeCreateTokenPrivilege /dev/null 21 - /usr/bin/editrights -u ${user} -t SeTcbPrivilege /dev/null 21 - /usr/bin/editrights -u ${user} -t SeServiceLogonRight /dev/null 21 - return # status of previous command-list -fi + # Don't attempt to validate membership in Administrators group + # Instead, just try to set the appropriate rights; if it fails + # then handle that, instead. +/usr/bin/editrights -u ${user} -t SeAssignPrimaryTokenPrivilege /dev/null 21 +/usr/bin/editrights -u ${user} -t SeCreateTokenPrivilege /dev/null 21 +/usr/bin/editrights -u ${user} -t SeTcbPrivilege /dev/null 21 +/usr/bin/editrights -u ${user} -t SeServiceLogonRight /dev/null 21 +return # status of previous command-list fi fi fi
Re: Bug in csih
Chuck? Ping? On Dec 19 14:07, Corinna Vinschen wrote: Hi Chuck, during some testing I suddenly found that I couldn't start an sshd which I had just installed as a service. The reason was that the account I was using for the service didn't have the Logon as service user right. Which was puzzeling given that csih calls editrights to add this user right. It turned out that the following test in cygwin-service-installation-helper.sh is incorrect (line 2264): if ! csih_call_winsys32 net localgroup ${admingroup} | /usr/bin/grep -Eiq ^${user}.?$ The problem occurs if the user account is a domain account. In that case membership in the local administrators group is often only indirectly given by being the member in a domain group which in turn is member in the Administrators group. Example: DOMAIN\user is member of DOMAIN\Domain Admins DOMAIN\Domain Admins is member of Administrators However, the `net localgroup' command does not resolve group memberships. `net localgroup Administrators' on a domain member machine returns: Alias name Administrators Comment[...blah...] Members --- Administrator VINSCHEN\Domain Admins The command completed successfully. Calling `net localgroup Administrators /domain' isn't sufficient either, since it also doesn't return indirect memberships. Therefore I think the test for being a member of the admins group is invalid and should just go away. The current behaviour is too surprising in a domain environment. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat