Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-03-05 Thread Corinna Vinschen 
On Mar  4 22:29, Charles Wilson wrote:
 Corinna Vinschen wrote:
 I didn't mean to say that other packages shouldn't use this function
 library.  I was merely saying that other scripts which don't have to
 switch the user context don't have to be converted in the first place.
 There's no pressure.

 Right -- but they CAN use the other facilities in csih if they want to. See 
 http://cygwin.cwilson.fastmail.fm/ITP/syslogd-config

Looks nice.  You should add yourself to the copyright and, maybe,
fix the 3 year old typo in Berkley :}


Thanks,
Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-03-04 Thread Charles Wilson 

Corinna Vinschen wrote:

On Feb 27 22:22, Charles Wilson wrote:

   (2) rewrite ssh-host-config to use it

(4a) rewrite syslog-ng-config to use it


Don't get me wrong.  I was not suggesting that you should do all these
conversions.  It would be nice to have one or two template scripts, like
iu-config and syslog-config.  Every other script is rather the job of
the package maintainer, isn't it?  Unless you plan to speed up the
migration, of course.


Sort of. I really just wanted to be sure that csih provided all the 
necessary facilities -- and that they actually worked when used 'in the 
wild'.  The best way to do that is to exercise the csih code from as 
many different contexts as possible, not just iu-config and syslogd-config.


However, I think the urgency of these other 'rewrites' is fairly low. 
I'll work on that in the background, because rght now, I think external 
users of iu-config/syslogd-config will provide me with all the bug 
reports on csih that I can handle, for a while.  This is not to say that 
I think csih is chock-full-of-bugs -- it's not -- but I only have the 
one XP system to test on.  Monocultures make me nervous...



I didn't mean to say that other packages shouldn't use this function
library.  I was merely saying that other scripts which don't have to
switch the user context don't have to be converted in the first place.
There's no pressure.


Right -- but they CAN use the other facilities in csih if they want to. 
See http://cygwin.cwilson.fastmail.fm/ITP/syslogd-config


--
Chuck

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-28 Thread Corinna Vinschen 
On Feb 27 22:22, Charles Wilson wrote:
 Corinna Vinschen wrote:
 (4a) rewrite syslog-ng-config to use it

 Okay, thanks.

Don't get me wrong.  I was not suggesting that you should do all these
conversions.  It would be nice to have one or two template scripts, like
iu-config and syslog-config.  Every other script is rather the job of
the package maintainer, isn't it?  Unless you plan to speed up the
migration, of course.

 But actually, services which don't have to switch user accounts don't
 really need it.

 True, unless you want to create an unprivileged user for the service 
 (unless, post-XP, even LocalSystem is considered unprivileged?)

I didn't mean to say that other packages shouldn't use this function
library.  I was merely saying that other scripts which don't have to
switch the user context don't have to be converted in the first place.
There's no pressure.

SYSTEM is of course not an unprivileged user.  It has permissions to do
stuff no other account has.  Since 2K3/XP 64 it has no right to create
a user token *only* when used as service starter account.  That's the
only reason we need another account for those of our services which have
to switch user context w/o password (sshd, inetd, xinetd, proftpd, cron,
did I miss one?).  Standard services which need a lot of permissions but
no permission to create a token can stick to the SYSTEM account.

Actually it's deprecated to use the SYSTEM account for services unless
the service really needs SYSTEM permissions.  In XP Microsoft
started with introducing the LocalService (S-1-5-19) and
NetworkService (S-1-5-20) accounts which have much less rights than
SYSTEM and Vista introduces a much more fine grained concept.

Maybe we should always add the above two service accounts to /etc/passwd.
It's a small tweak to mkpasswd which might have some benefits.

 Erm... why are all these functions called csh_foo?  Cygwin SHell?
 It sounds so much as if these functions are csh functions.  Maybe
 cf or cyg would be a better prefix?

 Cygwin-Services-Helper.

 Since this is a function library that will be sourced into other scripts, I 
 was trying to make sure it was, as far as possible, namespace  clean: 
 prefixes on all function names and public variables, ensure to label 
 function-local vars as 'local' so they don't leak, etc.

Sure.  No worries.  But as tcsh maintainer and user I really stumbled
over the prefix :)


Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-28 Thread Corinna Vinschen 
On Feb 28 11:34, Corinna Vinschen wrote:
 Actually it's deprecated to use the SYSTEM account for services unless
 the service really needs SYSTEM permissions.  In XP Microsoft
 started with introducing the LocalService (S-1-5-19) and
 NetworkService (S-1-5-20) accounts which have much less rights than
 SYSTEM and Vista introduces a much more fine grained concept.
 
 Maybe we should always add the above two service accounts to /etc/passwd.
 It's a small tweak to mkpasswd which might have some benefits.

Done.


Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-28 Thread Pierre A. Humblet 

- Original Message - 
From: Corinna Vinschen 
To: cygwin-apps
Sent: Thursday, February 28, 2008 5:34 AM
Subject: Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]


| only reason we need another account for those of our services which have
| to switch user context w/o password (sshd, inetd, xinetd, proftpd, cron,
| did I miss one?).  

exim

Pierre

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-27 Thread Corinna Vinschen 
On Feb 27 00:34, Charles Wilson wrote:
 Corinna Vinschen wrote:
 On Feb 25 20:46, Charles Wilson wrote:
 [*] or maybe a script function library somewhere like 
 /usr/lib/cygwin-services/ that foo-config could 'source', and then call 
 the functions directly.  This would help the enter the password twice 
 problem...
 Sounds good!  The function library would be cool.

 Here's my first draft.  Totally untested, almost nuthin' in the way of 
 documentation...but I figured I'd post it now, because I won't have time 
 for any more cygwin stuff until the weekend...

Wow, thanks for the quick implementation.  Unfortunately I won't have
time to look into this for now since I have to look into a Win2K problem
with network paths.

 TODO: (1) test, documentation, bughunt this function library
   (2) rewrite ssh-host-config to use it
   (3) rewrite iu-config to use it
   (4) rewrite syslog-config to use it

(4a) rewrite syslog-ng-config to use it

But actually, services which don't have to switch user accounts don't
really need it.

 # REQUIREMENTS:
 #   SHELL must be bash
 #
 # PROVIDES:
 #csh_error
 #csh_error_multi
 #csh_warning
 #csh_inform
 #csh_verbose
 #csh_request
 #csh_is_nt
 #csh_is_nt2003
 #csh_check_prog
 #csh_check_prog_req
 #csh_install_config
 #csh_make_dir
 #csh_privileged_user_name
 #csh_privileged_user_exists
 #csh_service_should_run_as
 #csh_check_mounts
 #csh_create_privileged_user
 #csh_create_unprivileged_user

Erm... why are all these functions called csh_foo?  Cygwin SHell?
It sounds so much as if these functions are csh functions.  Maybe
cf or cyg would be a better prefix?


Corinna

-- 
Corinna Vinschen  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader  cygwin AT cygwin DOT com
Red Hat

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-27 Thread Igor Peshansky 
On Wed, 27 Feb 2008, Corinna Vinschen wrote:

 On Feb 27 00:34, Charles Wilson wrote:
  Corinna Vinschen wrote:
  On Feb 25 20:46, Charles Wilson wrote:
  [*] or maybe a script function library somewhere like
  /usr/lib/cygwin-services/ that foo-config could 'source', and then call
  the functions directly.  This would help the enter the password twice
  problem...
  Sounds good!  The function library would be cool.
 
  Here's my first draft.  Totally untested, almost nuthin' in the way of
  documentation...but I figured I'd post it now, because I won't have time
  for any more cygwin stuff until the weekend...

 Wow, thanks for the quick implementation.  Unfortunately I won't have
 time to look into this for now since I have to look into a Win2K problem
 with network paths.

  TODO: (1) test, documentation, bughunt this function library
(2) rewrite ssh-host-config to use it
(3) rewrite iu-config to use it
(4) rewrite syslog-config to use it

 (4a) rewrite syslog-ng-config to use it

 But actually, services which don't have to switch user accounts don't
 really need it.

They won't need the create a user that can switch user contexts
functionality, but they might use the install as service using cygrunsrv
with the following flags one.

  # REQUIREMENTS:
  # SHELL must be bash
  #
  # PROVIDES:
  # csh_error
  # csh_error_multi
  # csh_warning
  # csh_inform
  # csh_verbose
  # csh_request
  # csh_is_nt
  # csh_is_nt2003
  # csh_check_prog
  # csh_check_prog_req
  # csh_install_config
  # csh_make_dir
  # csh_privileged_user_name
  # csh_privileged_user_exists
  # csh_service_should_run_as
  # csh_check_mounts
  # csh_create_privileged_user
  # csh_create_unprivileged_user

 Erm... why are all these functions called csh_foo?  Cygwin SHell?

I would guess Cygwin Services Helper...  Though it probably should be
Cygwin Service Installation Helper, or csih.

 It sounds so much as if these functions are csh functions.  Maybe
 cf or cyg would be a better prefix?

Umm, did you mean cgf? :-D
Igor
-- 
http://cs.nyu.edu/~pechtcha/
  |\  _,,,---,,_[EMAIL PROTECTED] | [EMAIL PROTECTED]
ZZZzz /,`.-'`'-.  ;-;;,_Igor Peshansky, Ph.D. (name changed!)
 |,4-  ) )-,_. ,\ (  `'-'   old name: Igor Pechtchanski
'---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

That which is hateful to you, do not do to your neighbor.  That is the whole
Torah; the rest is commentary.  Go and study it. -- Rabbi Hillel

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-27 Thread Pierre A. Humblet 

- Original Message - 
From: Charles Wilson 
To: Mailing List: CygWin-Apps 
Sent: Wednesday, February 27, 2008 12:34 AM
Subject: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]


| Corinna Vinschen wrote:
|  On Feb 25 20:46, Charles Wilson wrote:
|  How about a new package, cygwin-services-helper or somesuch, that 
|  contains
| 
|  (1) a script [*] derived from the appropriate portion of sshd-host-config, 
|  whose job is to create the appropriate priveleged user (I like 
|  'cygwin_svc') -- unless it already exists under either name ('cygwin_svc' 
|  or 'sshd_server').

Privileged users are also created by exim-config and cron-config. 
They use the same sh function to do that (the password is entered once). 
It checks for existing names; cyg_server cron_server sshd_server
and suggests using cyg_server if none is found (user can override).
Can you also check for those names, and possibly consider using
cyg_server  instead of  'cygwin_svc' ?
I will switch to calling your scripts once they are stable.

Pierre

Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-27 Thread Charles Wilson 

Corinna Vinschen wrote:

On Feb 27 00:34, Charles Wilson wrote:

[snip]


Wow, thanks for the quick implementation.  Unfortunately I won't have
time to look into this for now since I have to look into a Win2K problem
with network paths.



No problem. I just wanted to see how hard it was going to be -- and 
since it was my suggestions: money, meet mouth.  Turns' out it wasn't 
really that hard at all to extract the necessary bits. (He says, having 
done zero testing...)



(4a) rewrite syslog-ng-config to use it


Okay, thanks.


But actually, services which don't have to switch user accounts don't
really need it.


True, unless you want to create an unprivileged user for the service 
(unless, post-XP, even LocalSystem is considered unprivileged?)


Erm... why are all these functions called csh_foo?  Cygwin SHell?
It sounds so much as if these functions are csh functions.  Maybe
cf or cyg would be a better prefix?


Cygwin-Services-Helper.

Since this is a function library that will be sourced into other 
scripts, I was trying to make sure it was, as far as possible, namespace 
 clean: prefixes on all function names and public variables, ensure to 
label function-local vars as 'local' so they don't leak, etc.


--
Chuck

cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]

2008-02-26 Thread Charles Wilson 

Corinna Vinschen wrote:

On Feb 25 20:46, Charles Wilson wrote:
How about a new package, cygwin-services-helper or somesuch, that 
contains


(1) a script [*] derived from the appropriate portion of sshd-host-config, 
whose job is to create the appropriate priveleged user (I like 
'cygwin_svc') -- unless it already exists under either name ('cygwin_svc' 
or 'sshd_server').


(2) maybe another script [*] whose job is to ascertain whether such a user 
already exists, and return its name (or  if not).


It would be up to the calling foo-config to use these two scripts 
appropriately.  And, of course, the user might have to enter the password 
for the priveleged user account twice: once when it is created, and then 
again (by foo-config) to install the service 'foo'.


Then, openssh (and inetutils, and syslog-ng, and sysvinit, ...) could all 
depend on the cygwin-services-helper package.


[*] or maybe a script function library somewhere like 
/usr/lib/cygwin-services/ that foo-config could 'source', and then call the 
functions directly.  This would help the enter the password twice 
problem...


Sounds good!  The function library would be cool.


Here's my first draft.  Totally untested, almost nuthin' in the way of 
documentation...but I figured I'd post it now, because I won't have time 
for any more cygwin stuff until the weekend...


TODO: (1) test, documentation, bughunt this function library
  (2) rewrite ssh-host-config to use it
  (3) rewrite iu-config to use it
  (4) rewrite syslog-config to use it
  (5) chase setup.exe bug with regards to inetutils' setup.hint
  (6) incorporate bugfix for rshd (and rexecd /does/ have a similar 
bug)

  (7) remove --install-as-service from inetd

  (7a) add code to read existing \\Parameters\ConfigFilePath 
REG_SZ,, instead of ignoring it completely in favor of 
\\Parameters\ConfigFilePaths REG_MULTI_SZ -- probably migrating it over 
to the new REG_MULTI_SZ, since new 1.5 code *expects* at least two 
entries in the char** config_files array.


  (8) batten down the hatches on default inetd.conf
  (9) update inetutils.README to reflect #7  #8

Yeesh.  This is gonna take a while...

--
Chuck

#--  #!/bin/bash  --
# cygwin_services_helper.sh
#
# This is a script library used to assist installing cygwin
# services, such as sshd.  It is derived in part from
#
#   ssh-host-config (2008-02-25) Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
# part of the Cygwin port of OpenSSH
#
#   cygport (2008-02-25) Copyright (C) 2006, 2007 Yaakov Selkowitz
# GPL v3
#
# Do not attempt to run this file. Instead, it should be sourced by
# configuration scripts (such as a newer version of ssh-host-config,
# syslog-config, or iu-config) -- and that script should then use
# the shell functions defined here.
#
# REQUIREMENTS:
#   SHELL must be bash
#
# PROVIDES:
#csh_error
#csh_error_multi
#csh_warning
#csh_inform
#csh_verbose
#csh_request
#csh_is_nt
#csh_is_nt2003
#csh_check_prog
#csh_check_prog_req
#csh_install_config
#csh_make_dir
#csh_privileged_user_name
#csh_privileged_user_exists
#csh_service_should_run_as
#csh_check_mounts
#csh_create_privileged_user
#csh_create_unprivileged_user
#
# MUTABLE VARIABLES:
#   csh_FORCE_PRIVILEGED_USER
#   if yes, then create a privileged user even on NT/2k/XP
#   where it is not required (on those versions, LocalSystem
#   will do fine).
#   SYSCONFDIR
#   default value = /etc
#   LOCALSTATEDIR
#   default value = /var
#   csh_auto_answer
#   default value =  (no automatic answers)


csh_progname=$0
csh_progname_base=$(basename $csh_progname)
csh_auto_answer=
csh_FORCE_PRIVILEGED_USER=no

if [ -z ${SYSCONFDIR} ]
then 
  SYSCONFDIR=/etc
fi

if [ -z ${LOCALSTATEDIR} ]
then
  LOCALSTATEDIR=/var
fi

# messaging functions borrowed from cygport
csh_error() {
  case $? in
0) local errorcode=1 ;;
*) local errorcode=$? ;;
  esac

  echo -e \e[1;31m*** ERROR:\e[0;0m ${1:-no error message provided};
  exit ${errorcode};
}
csh_error_multi() {
  # used for multi-line error messages.
  case $? in
0) local errorcode=1 ;;
*) local errorcode=$? ;;
  esac

  while test $# -gt 1
  do
echo -e \e[1;31m*** ERROR:\e[0;0m ${1};
shift
  done
  echo -e \e[1;31m*** ERROR:\e[0;0m ${1:-no error message provided};
  exit ${errorcode};
}

csh_warning() {
  echo -e \e[1;33m*** Warning:\e[0;0m ${1};
}

csh_inform() {
  echo -e \e[1;32m*** Info:\e[0;0m ${1};
}

csh_verbose() {
  echo [EMAIL PROTECTED]
  [EMAIL PROTECTED]
  return $?
}

csh_request()
{
  local answer=

  if [ ${csh_auto_answer} = yes ]
  then
echo $1 (yes/no) yes
return 0
  elif [ ${csh_auto_answer} = no ]
  then
echo $1 (yes/no) no
return 1
  fi

  while [ X${answer} != Xyes -a X${answer} != Xno ]
  do
echo -n $1 (yes/no) 
read -e answer
  done
  if [ X${answer} = Xyes ]
  then
return 0
  else
return 1
  fi
}