This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ATTN Maintainer] csih


Hi Achim,

On Apr  2 11:27, Achim Gratz wrote:
> Corinna Vinschen writes:
> >> There's another fix that should probably go into the scripts: The
> >> service users should get SeDenyInteractiveLogonRight (they already have
> >> SeDenyRemoteLogonRight).  At least on my Windows7 Pro/64bit laptop the
> >> accounts show up on the login screen otherwise.
> >
> > Still, https://cygwin.com/acronyms/#PGA?  Really, I mean it.
> 
> Sorry, I was temporarily out of round tuits.
> 
> Index: cygwin-service-installation-helper.sh
> ===================================================================
> RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v
> retrieving revision 1.37
> diff -r1.37 cygwin-service-installation-helper.sh
> 3038a3039
> >         /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&

diff -up, please, it's much easier to read.  

> OK to commit?

Yes, please apply.

> BTW, is there some deeper reason to use
> 
>         /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
>         /usr/bin/editrights -a SeCreateTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
>         /usr/bin/editrights -a SeTcbPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
>         /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
>         /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
>         /usr/bin/editrights -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
>         username_got_all_rights="yes"
> 
> instead of
> 
>         /usr/bin/editrights \
>           -a SeAssignPrimaryTokenPrivilege -a SeCreateTokenPrivilege -a SeTcbPrivilege \
>           -a SeDenyInteractiveLogonRight -a SeDenyRemoteInteractiveLogonRight \
>           -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
>         username_got_all_rights="yes"
> 
> ?  Because if there is, that seems like a bug in editrights that should
> be fixed.

That should work.  IIUC Chuck was trying to check if every single right
has been granted, but the single call to editrights should do the same
thing, given that it calls LsaAddAccountRights and returns an error if
that function returns an error.

Feel free to apply a patch after testing.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpSrn8Jqnn_g.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]