src/winsup/cygwin ChangeLog sec_auth.cc sec_he ...
CVSROOT:/cvs/src Module name:src Changes by: cori...@sourceware.org 2011-10-15 16:31:57 Modified files: winsup/cygwin : ChangeLog sec_auth.cc sec_helper.cc security.h wincap.cc wincap.h Log message: * sec_auth.cc (get_token_group_sidlist): Add CONSOLE LOGON SID on systems supporting it. Never add SERVICE SID but keep code in for future reference. Explain why. (get_priv_list): Add cygpsid pointer parameter. Point it to the mandatory integrity SID which matches account and privileges. (create_token): Fetch mandatory integrity SID from call to get_priv_list. (lsaauth): Call get_priv_list with additional NULL pointer. Change comment accordingly. * sec_helper.cc (well_known_console_logon_sid): New static SID. (cygpriv): Change to structure containing extra flag to store info about required integrity level. (privilege_luid): Accommodate changes to cygpriv. Return integrity level in new high_integrity parameter. (privilege_name): Accommodate changes to cygpriv. (set_privilege): Drop trailing \n from debug output. (set_cygwin_privileges): Don't set SE_CREATE_GLOBAL_PRIVILEGE anymore since it's just not needed, but keep code in for future reference. Change comment accordingly. * security.h (well_known_console_logon_sid): Declare. (privilege_luid): Align declaration to above change. * wincap.h (wincaps::has_console_logon_sid): New element. * wincap.cc: Implement above element throughout. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/ChangeLog.diff?cvsroot=srcr1=1.5519r2=1.5520 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_auth.cc.diff?cvsroot=srcr1=1.41r2=1.42 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_helper.cc.diff?cvsroot=srcr1=1.93r2=1.94 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/security.h.diff?cvsroot=srcr1=1.116r2=1.117 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/wincap.cc.diff?cvsroot=srcr1=1.118r2=1.119 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/wincap.h.diff?cvsroot=srcr1=1.98r2=1.99
src/winsup/cygwin ChangeLog fhandler_process.cc
CVSROOT:/cvs/src Module name:src Changes by: cori...@sourceware.org 2011-10-15 19:13:58 Modified files: winsup/cygwin : ChangeLog fhandler_process.cc Log message: * fhandler_process.cc (dos_drive_mappings::fixup_if_match): Convert native NT network paths into DOS UNC paths. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/ChangeLog.diff?cvsroot=srcr1=1.5520r2=1.5521 http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/fhandler_process.cc.diff?cvsroot=srcr1=1.110r2=1.111
winsup/cygwin ChangeLog cygerrno.h devices.cc ...
CVSROOT:/cvs/uberbaum Module name:winsup Changes by: c...@sourceware.org 2011-10-15 22:37:30 Modified files: cygwin : ChangeLog cygerrno.h devices.cc devices.h devices.in dtable.cc fhandler.cc fhandler.h fhandler_clipboard.cc fhandler_console.cc fhandler_disk_file.cc fhandler_fifo.cc fhandler_floppy.cc fhandler_proc.cc fhandler_random.cc fhandler_raw.cc fhandler_registry.cc fhandler_serial.cc fhandler_socket.cc fhandler_tape.cc fhandler_termios.cc fhandler_tty.cc fhandler_virtual.cc path.cc path.h pinfo.cc pinfo.h pipe.cc syscalls.cc tty.cc tty.h Log message: * cygerrno.h (__set_errno): Modify debugging output to make searching strace logs easier. Throughout, change /dev/tty* to /dev/pty*. Throughout, add flags argument to fhandler_*::dup methods. * devices.in: Rename (temporarily?) /dev/ttyN to /dev/ptyN. Add /dev/ptymN devices for pty masters. * devices.cc: Regenerate. * devices.h (MAX_CONSOLES): Set to max number supported by devices.in. (fh_devices::FH_PTMX): Rename from FH_PTYM. (device::operator int): Return by reference. * dtable.cc (fh_alloc): Take pc as an argument rather than just the device. This makes debugging easier since more information is available. Actually implement handling for already-allocated pty master devices. Make different decisions when generating fhandler for not-opened devices. Add kludge to deal with opening /dev/tty. (cnew_no_ctor): New macro. (build_fh_pc): Make debugging output more verbose. Use new clone() fhandler interface to duplicate archetypes. Reset last term opened. (dtable::dup_worker): Use Use new clone() fhandler interface to duplicate archetypes. Pass flags to child dup handler. (dtable::dup3): Set O_NOCTTY flag if newfd is not stdin/stdout/stderr. * fhandler.cc (fhandler_base::reset): Rename from operator =() and reduce functionality and sense of copy direction. (fhandler_base::open_with_arch): Use published interface to query io_handle(). Use new copyto() fhandler method to copy from/to found archetype. * fhandler.h: Throughout, delete size(), add copyout, clone, and fhandler_* (void *) methods. (fhandler_base::reset): Rename from operator =(). (fhandler_termios::is_dev_tty): Delete. (fhandler_termios): change protected region to private. (fhandler_termios::is_dev_tty): Delete. (fhandler_termios): Rearrange protected/public. (fhandler_termios::fhandler_termios): Remember last fhandler_termios opened. (fhandler_termios::~fhandler_termios): Forget last fhandler_termios opened. (ioctl): Rename from ioctl_termios. Take a void * argument. Reflect argument change in pinfo::set_ctty. (fhandler_console::dup): Declare new function. Set ctty here if appropriate. (fhandler_pty_master::from_master): Privatize. (fhandler_pty_master::to_master): Ditto. (fhandler_pty_master::dwProcessId): Ditto. (fhandler_pty_master::fhandler_pty_master): Add an `int' argument. (fhandler_pty_master::open_setup): Declare new function. (fhandler_pty_master::~fhandler_pty_master): Declare new method. (fhandler_nodevice): Remove commented out function declaration. * fhandler_console.cc: Use get_ttyp() instead of tc() throughout. (fhandler_console::dup): Define new function to set controlling ctty on dup, as appropriate. (fhandler_console::ioctl): Reflect ioctl_termios name change. (fhandler_console::setup): Rename from get_tty_stuff. (fhandler_console::open_setup): Reflect argument change in pinfo::set_ctty. (fhandler_console::fhandler_console): Set _tc here. * fhandler_termios.cc (handler_termios::ioctl): Rename. Take a void * arg like other ioctl functions. * fhandler_tty.cc (fhandler_pty_slave::dup): Call myself-set_ctty to potentially reset the controlling terminal. (fhandler_pty_slave::ioctl): Reflect name/arg change for ioctl_termios. (fhandler_pty_slave::fhandler_pty_slave): Take a unit argument. Call setup() here so that we will know the unit number of this fhandler as soon as possible. Set the unit as appropriate. (handler_pty_master::open): Move most stuff to constructor and open_setup. (handler_pty_slave::open_setup): Reflect argument change in pinfo::set_ctty. (handler_pty_master::open_setup): Define new function. (fhandler_pty_master::cleanup): Clear handles as a
WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to the public mailing list cygwin@cygwin.com
Good afternoon, I've installed the latest Cygwin on the latest Windows (win8 64, dev preview), with a few tools I use on a regular basis (ping, whois, wget, curl many more). Unfortunately whenever I open it I get the aforementioned error. Same goes for when I try and use the g++ with Netbeans... Could you please fix this bug ASAP? Thanks, Alec Taylor -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Mapping underline to colour - how is the colour determined?
On 14 October 2011 14:18, Ronald Fischer wrote: When I (to give an example) execute a man command within a mintty window, and do the same within a normal Windows console window, I see that those words represented as underlined words in the mintty window, are represented by a different colour in the Windows console windows. I guess this different has nothing to do with the man command, but by the way the terminal definition says how render emphasized words. Since the Windows console (likely) can't underline, colouring is used. It's kind of a terminal property. Do I understand this correctly? Yep. I would like to understand, where this mapping to a certain colour is done. Reason is that the colour used for my Windows console window, is a bit hard to read and I would like to change it. It's hardcoded in the Cygwin DLL (in winsup/cygwin/fhandler_console.cc), so you'd have to build that yourself to change it. Getting man/groff to use something other than the underline attribute might be the better approach, but I don't know how to do that. Andy -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: displaying Chinese radicals
On 15 October 2011 00:55, Kaz Kylheku wrote: Lingyis writes: cygwin xterm or rxvt does a good job when it comes to displaying Chinese characters, but it doesn't have fonts for all the Chinese radicals. maybe half of them show up as SQUARES. the ones that do show up i can tell cygwin did some substitutions--i.e. dug up other fonts when current font doesn't have this glyph. Since you're on Windows, try running a ssh daemon and log into your Cygwin using PuTTY. (Or heck, properly secured telnet.) Or just use mintty, a local Cygwin terminal that doesn't need an ssh or telnet server and that can be installed through Cygwin's setup.exe. It's based on PuTTY's terminal emulation and can also be configured to use any fixed-width Windows font. Andy -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Where is /bin/nologin
Corinna Vinschen-2 wrote: On Oct 14 14:04, Andrey Repin wrote: ... I would advice against giving any clues about account status, for security reasons. It's what Linux' /sbin/nologin' prints, too. Actually it's the whole idea of /sbin/nologin' per the man page: $ man nologin NOLOGIN(8)BSD System Manager's Manual NOLOGIN(8) NAME nologin — politely refuse a login [...] Just `exit 0' should be replaced with `exit 1' since [...] nologin displays a message that an account is not available and exits non-zero. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Nice script! Would be cool if it would be part of cygwin. Btw. was the /etc/nologin.txt your addition? I think the original nologin doesn't even do that. At least not on Debian, where I just checked. Although in general I agree with Andrey. I forgot all about /bin/false. So I am using that now. In fact I checked on my Linux box. I see that most no-shell users have /bin/false in /etc/passwd (like ftp or mysql). But others have nologin (e.g. user sshd on my machine). Thanks, gwodus. -- View this message in context: http://old.nabble.com/Where-is--bin-nologin-tp32647652p32657023.html Sent from the Cygwin list mailing list archive at Nabble.com. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: displaying Chinese radicals
On 13 October 2011 22:17, Lingyis wrote: There is a so-called last resort font used in Mac (supposedly in Windows as well) so I suppose that's how Mac deals with them. If so, how do I make sure cygwin uses the last resort font, i.e. where do I put/install that font? Windows doesn't have a single last resort font, but each font can have a list of fallback fonts, through the so-called font linking mechanism. This can be configured in the registry. MSDN has the details. However, as far as I know, font linking doesn't take effect in the Windows console (and hence the default Cygwin console), which is why you'll see fewer glyphs being supported there than with the same font in other applications. Andy -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Where is /bin/nologin
On Oct 15 01:24, gwodus wrote: Nice script! Would be cool if it would be part of cygwin. Btw. was the /etc/nologin.txt your addition? I think the original nologin doesn't even do that. At least not on Debian, where I just checked. It does on Fedora. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Red Hat Cygwin official installation utility ?
On Oct 14 16:09, Jan Chludzinski wrote: What is this versus cygwin-dot-org ? The supported version for which you can purchase support contracts. Just tried Red Hat Cygwin official installation utility (www-dot-redhat-dot-com-slash-services-slash-custom-slash-cygwin) and their one download site (ftp-dot-ges-dot-redhat-dot-com) suffers from complete autism - i.e., totally unresponsive, Works for me. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to the public mailing list cygwin@cygwin.com
On Oct 15 18:43, Alec Taylor wrote: Good afternoon, I've installed the latest Cygwin on the latest Windows (win8 64, dev preview), with a few tools I use on a regular basis (ping, whois, wget, curl many more). Unfortunately whenever I open it I get the aforementioned error. Same goes for when I try and use the g++ with Netbeans... Could you please fix this bug ASAP? Fixed in CVS two days ago. Other than that, we don't support W8 until it will be officially released. Until then, expect broken behaviour. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: admin privileges when logging in by ssh?
On Oct 14 21:14, Corinna Vinschen wrote: On Oct 14 20:23, Corinna Vinschen wrote: On Oct 14 11:18, Andrew Schulman wrote: So the difference AFAICT is the membership in the Administrators group. Notice also in the two listings below, that by password authentication, backup gets Mandatory Label\High Mandatory Level while by pubkey, he gets Mandatory Label\Medium Mandatory Level whatever those are. That's an UAC thingy. Keep in mind that Cygwin has to create the user token from scratch here, given that you are using passwored-less setuid method 1 (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). I'm not aware of a method to fetch the mandatory level SID a user is supposed to get, so what Cygwin does is simply to base the mandatory level SID on the membership in the admins group. As for the missing privileges, they are not missing in the user token, they are just disabled: [...] But even then, if the backup/restore privileges are disabled, it shouldn't matter in Cygwin. Cygwin enables both privileges right at process startup. Having said that, I have no idea why the privileges are disabled in your token. The good news is that I can reproduce the behaviour on a Windows 2008 R2 box with a normal domain user account, which got explicit backup and restore rights. I don't know why this occurs when using password-less setui method 1, this is something which I have to debug yet. I just debugged this and now I know why this happens. The problem is the aforementioned Mandatory Label. A user token which has medium mandatory level can not enable these privileges, even if they are in the user token. If I create the token with high mandatory level, it's no problem to enable the backup/restore permissions at process startup. However, I don't think it's a good idea to set the high mandatory level on a token unconditionally. This should only be done if the token contains certain privileges. The problem now is to find out which permissions are affected by this. I don't see any list of privileges on MSDN in terms of UAC restriction. Oh well, no pain, no gain. I applied a patch to CVS which should solve this problem in a generic way. I observed how Windows handles the privileges when creating a token and your scenario should be nicely covered now. I also dropped a somewhat dangerous behaviour in terms of security when creating a token from scratch. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: admin privileges when logging in by ssh?
On Oct 14 21:14, Corinna Vinschen wrote: On Oct 14 20:23, Corinna Vinschen wrote: On Oct 14 11:18, Andrew Schulman wrote: So the difference AFAICT is the membership in the Administrators group. Notice also in the two listings below, that by password authentication, backup gets Mandatory Label\High Mandatory Level while by pubkey, he gets Mandatory Label\Medium Mandatory Level whatever those are. That's an UAC thingy. Keep in mind that Cygwin has to create the user token from scratch here, given that you are using passwored-less setuid method 1 (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). I'm not aware of a method to fetch the mandatory level SID a user is supposed to get, so what Cygwin does is simply to base the mandatory level SID on the membership in the admins group. I just debugged this and now I know why this happens. The problem is the aforementioned Mandatory Label. A user token which has medium mandatory level can not enable these privileges, even if they are in the user token. If I create the token with high mandatory level, it's no problem to enable the backup/restore permissions at process startup. However, I don't think it's a good idea to set the high mandatory level on a token unconditionally. This should only be done if the token contains certain privileges. The problem now is to find out which permissions are affected by this. I don't see any list of privileges on MSDN in terms of UAC restriction. Oh well, no pain, no gain. I applied a patch to CVS which should solve this problem in a generic way. I observed how Windows handles the privileges when creating a token and your scenario should be nicely covered now. I also dropped a somewhat dangerous behaviour in terms of security when creating a token from scratch. Thank you. I'll test the next snapshot and let you know how it goes. You said that Cygwin should only set the high mandatory level if the token contains certain privileges. So I guess that SeBackupPrivilege and SeRestorePrivilege are among the ones that trigger the high mandatory level? Anything more we should know about that? The complexity of this thing sure is growing. Amazing that new wrinkles are still being found. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: admin privileges when logging in by ssh?
On Oct 15 13:32, Andrew Schulman wrote: On Oct 14 21:14, Corinna Vinschen wrote: I applied a patch to CVS which should solve this problem in a generic way. I observed how Windows handles the privileges when creating a token and your scenario should be nicely covered now. I also dropped a somewhat dangerous behaviour in terms of security when creating a token from scratch. Thank you. I'll test the next snapshot and let you know how it goes. You said that Cygwin should only set the high mandatory level if the token contains certain privileges. So I guess that SeBackupPrivilege and SeRestorePrivilege are among the ones that trigger the high mandatory level? Anything more we should know about that? By simply trying them out, I created a list of the privileges which trigger the high integrity level requirement. See, for instance, http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_helper.cc.diff?r1=1.93r2=1.94cvsroot=srcf=h For the security related change, see the second patch snippet in http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_auth.cc.diff?r1=1.41r2=1.42cvsroot=srcf=h Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
gdb non-stop mode
If I set non-stop mode in gdb and then try to run whatever program I'm debugging, I get the message The target does not support running in non-stop mode. Is this a limitation of Cygwin's gdb? I don't really have any need to use non-stop mode; I just need to know what's going on in order to properly configure gdb under emacs. Ken -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Red Hat Cygwin official installation utility ?
On Fri, Oct 14, 2011 at 04:09:58PM -0400, Jan Chludzinski wrote: What is this versus cygwin-dot-org ? Just tried Red Hat Cygwin official installation utility (www-dot-redhat-dot-com-slash-services-slash-custom-slash-cygwin) and their one download site (ftp-dot-ges-dot-redhat-dot-com) suffers from complete autism - i.e., totally unresponsive, This is a repugnant analogy and off-topic for this mailing list. Contact Red Hat if you have a problem with their site. We don't support it here. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple