This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Win2003 server and cron/sshd as services (1.5.19)


Mike Dunn wrote:
Larry Hall (Cygwin) wrote:
On 05/06/2006, Mike Dunn wrote:
I did just test by running cron from the command line (not as a service), and it appears to work fine. I suspect, that it can only exec commands under my uid, since my account does not have things like SeCreateTokenPrivilege, etc.


Right. And by running it from the command line under your uid, you've created
files under /var with permissions that will keep 'cron' from running as a
service using the sshd_server (which already has the ability to switch user
contexts on W2K3). Your best bet here is probably to uninstall cron and
reinstall it, using the installation instructions in
/usr/share/doc/Cygwin/cron.README.



>  Was there anything in particular you are referring to in the README, or
> is this a general RTFM comment?  I have read the READMEs, googled the
> list for 5 days, picked apart the install scripts, tested with
> alternative services, reinstalled, etc.  I would like to think that I've
> done my home work.
>
>  I believe that I understand the permissions issue that you refer to.
> Clearly I ran cron under my UID as a diagnostic procedure; I have since
> reinstalled it a number of times (correcting the permissions indicated
> in the README) and cron_diagnose is happy.  Can you suggest what may be
> wrong with permission beyond that?

Once you start services under one user, they create files with specific
permissions. These permissions will keep the services from running as
another another user. This is certainly true for sshd, which sets permissions
for /var/empty and some other files in that directory to be accessible only
for the service user. I'm away from my Windows machine at the moment so I
cannot provide further details at this point. But look at the configuration
scripts if you want some pointers.  The reason these configuration scripts
exist is so one can easily and quickly install a working setup. So your best
bet to getting one is to use them. However, since you have configured things
using another method, you probably won't have much luck getting things to
work without undoing what you've already done. Alternatively, for cron, as
long as you only want it to run as the user you're running the service as,
there is no problem continuing as you have things now. Essentially, this is
true for ssh too but you mentioned the desire to be able to switch user
contexts.  That requires the user running the service to have the permissions
to do this. The ssh-host-config script creates the sshd_server user for you
with the proper permissions to run on W2K3. See the ssh-host-config
script if you want to know how this was set up. Obviously, you can add
these permissions to any user if you prefer. The biggest downside is the
additional security risk of having yet another user id with these added
permissions (and perhaps more).


-- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]