Re: Bug in csih

2012-02-06 Thread Corinna Vinschen 
On Feb  5 15:23, Charles Wilson wrote:
 On 1/16/2012 5:14 AM, Corinna Vinschen wrote:
 Chuck?  Ping?
 
 
 How's this?   (BTW, we do similar stuff in
 csih_create_privileged_user() but I didn't address that).

That looks ok to me.  As for csih_create_privileged_user, I don't see
what you mean.  In that function you just add the account to the local
admins group, which is the right thing to do.  Where, do you think, is
the problem in csih_create_privileged_user?


Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat

Re: Bug in csih

2012-02-06 Thread Charles Wilson 

On 2/6/2012 6:25 AM, Corinna Vinschen wrote:

On Feb  5 15:23, Charles Wilson wrote:

How's this?   (BTW, we do similar stuff in
csih_create_privileged_user() but I didn't address that).


That looks ok to me.  As for csih_create_privileged_user, I don't see
what you mean.  In that function you just add the account to the local
admins group, which is the right thing to do.  Where, do you think, is
the problem in csih_create_privileged_user?


Just that it, also, tries to figure out the name of the Administrator's 
group and add the newly-created user to it -- e.g. 'similar stuff'. 
But, as you say, this isn't really a problem in the context of creating 
a new (local) admin account.


--
Chuck

Re: Bug in csih

2012-02-05 Thread Charles Wilson 

On 1/16/2012 5:14 AM, Corinna Vinschen wrote:

Chuck?  Ping?



How's this?   (BTW, we do similar stuff in csih_create_privileged_user() 
but I didn't address that).



Index: cygwin-service-installation-helper.sh
===
RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v
retrieving revision 1.28
diff -u -p -r1.28 cygwin-service-installation-helper.sh
--- cygwin-service-installation-helper.sh   13 Feb 2011 23:22:34 -  
1.28
+++ cygwin-service-installation-helper.sh   5 Feb 2012 20:22:07 -
@@ -2244,7 +2244,6 @@ csih_account_has_necessary_privileges()
   $_csih_trace

   local user=$1
-  local admingroup=
   if [ -n ${user} ]
   then
 if csih_call_winsys32 net user ${user} /dev/null 21
@@ -2255,23 +2254,14 @@ csih_account_has_necessary_privileges()
 csih_warning Unable to ensure that '${user}' has the 
appropriate privileges.

 return 1
   else
-admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 
== S-1-5-32-544 ) print $1;}')

-if [ -z ${admingroup} ]
-then
-  csih_warning Cannot obtain the Administrators group name 
from 'mkgroup -l'.

-  return 1
-fi
-if ! csih_call_winsys32 net localgroup ${admingroup} | 
/usr/bin/grep -Eiq ^${user}.?$

-then
-  # user not in Administrators group
-  return 1
-else
-  /usr/bin/editrights -u ${user} -t 
SeAssignPrimaryTokenPrivilege /dev/null 21 
-  /usr/bin/editrights -u ${user} -t SeCreateTokenPrivilege 
 /dev/null 21 
-  /usr/bin/editrights -u ${user} -t SeTcbPrivilege 
 /dev/null 21 
-  /usr/bin/editrights -u ${user} -t SeServiceLogonRight 
 /dev/null 21

-  return # status of previous command-list
-fi
+   # Don't attempt to validate membership in Administrators group
+   # Instead, just try to set the appropriate rights; if it fails
+   # then handle that, instead.
+/usr/bin/editrights -u ${user} -t 
SeAssignPrimaryTokenPrivilege /dev/null 21 
+/usr/bin/editrights -u ${user} -t SeCreateTokenPrivilege 
   /dev/null 21 
+/usr/bin/editrights -u ${user} -t SeTcbPrivilege 
   /dev/null 21 
+/usr/bin/editrights -u ${user} -t SeServiceLogonRight 
   /dev/null 21

+return # status of previous command-list
   fi
 fi
   fi

Re: Bug in csih

2012-01-16 Thread Corinna Vinschen 
Chuck?  Ping?

On Dec 19 14:07, Corinna Vinschen wrote:
 Hi Chuck,
 
 
 during some testing I suddenly found that I couldn't start an sshd which
 I had just installed as a service.  The reason was that the account I
 was using for the service didn't have the Logon as service user right.
 Which was puzzeling given that csih calls editrights to add this user
 right.
 
 It turned out that the following test in cygwin-service-installation-helper.sh
 is incorrect (line 2264):
 
   if ! csih_call_winsys32 net localgroup ${admingroup} | /usr/bin/grep -Eiq 
 ^${user}.?$
 
 The problem occurs if the user account is a domain account.  In that
 case membership in the local administrators group is often only
 indirectly given by being the member in a domain group which in turn
 is member in the Administrators group.  Example:
 
   DOMAIN\user is member of DOMAIN\Domain Admins
   DOMAIN\Domain Admins is member of Administrators
 
 However, the `net localgroup' command does not resolve group memberships.
 `net localgroup Administrators' on a domain member machine returns:
 
   Alias name Administrators
   Comment[...blah...]
 
   Members
 
   ---
   Administrator
   VINSCHEN\Domain Admins
   The command completed successfully.
 
 Calling `net localgroup Administrators /domain' isn't sufficient either,
 since it also doesn't return indirect memberships.
 
 Therefore I think the test for being a member of the admins group is
 invalid and should just go away.  The current behaviour is too surprising
 in a domain environment.

Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat