Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
On Mar 4 22:29, Charles Wilson wrote: Corinna Vinschen wrote: I didn't mean to say that other packages shouldn't use this function library. I was merely saying that other scripts which don't have to switch the user context don't have to be converted in the first place. There's no pressure. Right -- but they CAN use the other facilities in csih if they want to. See http://cygwin.cwilson.fastmail.fm/ITP/syslogd-config Looks nice. You should add yourself to the copyright and, maybe, fix the 3 year old typo in Berkley :} Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
Corinna Vinschen wrote: On Feb 27 22:22, Charles Wilson wrote: (2) rewrite ssh-host-config to use it (4a) rewrite syslog-ng-config to use it Don't get me wrong. I was not suggesting that you should do all these conversions. It would be nice to have one or two template scripts, like iu-config and syslog-config. Every other script is rather the job of the package maintainer, isn't it? Unless you plan to speed up the migration, of course. Sort of. I really just wanted to be sure that csih provided all the necessary facilities -- and that they actually worked when used 'in the wild'. The best way to do that is to exercise the csih code from as many different contexts as possible, not just iu-config and syslogd-config. However, I think the urgency of these other 'rewrites' is fairly low. I'll work on that in the background, because rght now, I think external users of iu-config/syslogd-config will provide me with all the bug reports on csih that I can handle, for a while. This is not to say that I think csih is chock-full-of-bugs -- it's not -- but I only have the one XP system to test on. Monocultures make me nervous... I didn't mean to say that other packages shouldn't use this function library. I was merely saying that other scripts which don't have to switch the user context don't have to be converted in the first place. There's no pressure. Right -- but they CAN use the other facilities in csih if they want to. See http://cygwin.cwilson.fastmail.fm/ITP/syslogd-config -- Chuck
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
On Feb 27 22:22, Charles Wilson wrote: Corinna Vinschen wrote: (4a) rewrite syslog-ng-config to use it Okay, thanks. Don't get me wrong. I was not suggesting that you should do all these conversions. It would be nice to have one or two template scripts, like iu-config and syslog-config. Every other script is rather the job of the package maintainer, isn't it? Unless you plan to speed up the migration, of course. But actually, services which don't have to switch user accounts don't really need it. True, unless you want to create an unprivileged user for the service (unless, post-XP, even LocalSystem is considered unprivileged?) I didn't mean to say that other packages shouldn't use this function library. I was merely saying that other scripts which don't have to switch the user context don't have to be converted in the first place. There's no pressure. SYSTEM is of course not an unprivileged user. It has permissions to do stuff no other account has. Since 2K3/XP 64 it has no right to create a user token *only* when used as service starter account. That's the only reason we need another account for those of our services which have to switch user context w/o password (sshd, inetd, xinetd, proftpd, cron, did I miss one?). Standard services which need a lot of permissions but no permission to create a token can stick to the SYSTEM account. Actually it's deprecated to use the SYSTEM account for services unless the service really needs SYSTEM permissions. In XP Microsoft started with introducing the LocalService (S-1-5-19) and NetworkService (S-1-5-20) accounts which have much less rights than SYSTEM and Vista introduces a much more fine grained concept. Maybe we should always add the above two service accounts to /etc/passwd. It's a small tweak to mkpasswd which might have some benefits. Erm... why are all these functions called csh_foo? Cygwin SHell? It sounds so much as if these functions are csh functions. Maybe cf or cyg would be a better prefix? Cygwin-Services-Helper. Since this is a function library that will be sourced into other scripts, I was trying to make sure it was, as far as possible, namespace clean: prefixes on all function names and public variables, ensure to label function-local vars as 'local' so they don't leak, etc. Sure. No worries. But as tcsh maintainer and user I really stumbled over the prefix :) Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
On Feb 28 11:34, Corinna Vinschen wrote: Actually it's deprecated to use the SYSTEM account for services unless the service really needs SYSTEM permissions. In XP Microsoft started with introducing the LocalService (S-1-5-19) and NetworkService (S-1-5-20) accounts which have much less rights than SYSTEM and Vista introduces a much more fine grained concept. Maybe we should always add the above two service accounts to /etc/passwd. It's a small tweak to mkpasswd which might have some benefits. Done. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
- Original Message - From: Corinna Vinschen To: cygwin-apps Sent: Thursday, February 28, 2008 5:34 AM Subject: Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1] | only reason we need another account for those of our services which have | to switch user context w/o password (sshd, inetd, xinetd, proftpd, cron, | did I miss one?). exim Pierre
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
On Feb 27 00:34, Charles Wilson wrote: Corinna Vinschen wrote: On Feb 25 20:46, Charles Wilson wrote: [*] or maybe a script function library somewhere like /usr/lib/cygwin-services/ that foo-config could 'source', and then call the functions directly. This would help the enter the password twice problem... Sounds good! The function library would be cool. Here's my first draft. Totally untested, almost nuthin' in the way of documentation...but I figured I'd post it now, because I won't have time for any more cygwin stuff until the weekend... Wow, thanks for the quick implementation. Unfortunately I won't have time to look into this for now since I have to look into a Win2K problem with network paths. TODO: (1) test, documentation, bughunt this function library (2) rewrite ssh-host-config to use it (3) rewrite iu-config to use it (4) rewrite syslog-config to use it (4a) rewrite syslog-ng-config to use it But actually, services which don't have to switch user accounts don't really need it. # REQUIREMENTS: # SHELL must be bash # # PROVIDES: #csh_error #csh_error_multi #csh_warning #csh_inform #csh_verbose #csh_request #csh_is_nt #csh_is_nt2003 #csh_check_prog #csh_check_prog_req #csh_install_config #csh_make_dir #csh_privileged_user_name #csh_privileged_user_exists #csh_service_should_run_as #csh_check_mounts #csh_create_privileged_user #csh_create_unprivileged_user Erm... why are all these functions called csh_foo? Cygwin SHell? It sounds so much as if these functions are csh functions. Maybe cf or cyg would be a better prefix? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
On Wed, 27 Feb 2008, Corinna Vinschen wrote: On Feb 27 00:34, Charles Wilson wrote: Corinna Vinschen wrote: On Feb 25 20:46, Charles Wilson wrote: [*] or maybe a script function library somewhere like /usr/lib/cygwin-services/ that foo-config could 'source', and then call the functions directly. This would help the enter the password twice problem... Sounds good! The function library would be cool. Here's my first draft. Totally untested, almost nuthin' in the way of documentation...but I figured I'd post it now, because I won't have time for any more cygwin stuff until the weekend... Wow, thanks for the quick implementation. Unfortunately I won't have time to look into this for now since I have to look into a Win2K problem with network paths. TODO: (1) test, documentation, bughunt this function library (2) rewrite ssh-host-config to use it (3) rewrite iu-config to use it (4) rewrite syslog-config to use it (4a) rewrite syslog-ng-config to use it But actually, services which don't have to switch user accounts don't really need it. They won't need the create a user that can switch user contexts functionality, but they might use the install as service using cygrunsrv with the following flags one. # REQUIREMENTS: # SHELL must be bash # # PROVIDES: # csh_error # csh_error_multi # csh_warning # csh_inform # csh_verbose # csh_request # csh_is_nt # csh_is_nt2003 # csh_check_prog # csh_check_prog_req # csh_install_config # csh_make_dir # csh_privileged_user_name # csh_privileged_user_exists # csh_service_should_run_as # csh_check_mounts # csh_create_privileged_user # csh_create_unprivileged_user Erm... why are all these functions called csh_foo? Cygwin SHell? I would guess Cygwin Services Helper... Though it probably should be Cygwin Service Installation Helper, or csih. It sounds so much as if these functions are csh functions. Maybe cf or cyg would be a better prefix? Umm, did you mean cgf? :-D Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] | [EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! That which is hateful to you, do not do to your neighbor. That is the whole Torah; the rest is commentary. Go and study it. -- Rabbi Hillel
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
- Original Message - From: Charles Wilson To: Mailing List: CygWin-Apps Sent: Wednesday, February 27, 2008 12:34 AM Subject: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1] | Corinna Vinschen wrote: | On Feb 25 20:46, Charles Wilson wrote: | How about a new package, cygwin-services-helper or somesuch, that | contains | | (1) a script [*] derived from the appropriate portion of sshd-host-config, | whose job is to create the appropriate priveleged user (I like | 'cygwin_svc') -- unless it already exists under either name ('cygwin_svc' | or 'sshd_server'). Privileged users are also created by exim-config and cron-config. They use the same sh function to do that (the password is entered once). It checks for existing names; cyg_server cron_server sshd_server and suggests using cyg_server if none is found (user can override). Can you also check for those names, and possibly consider using cyg_server instead of 'cygwin_svc' ? I will switch to calling your scripts once they are stable. Pierre
Re: cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
Corinna Vinschen wrote: On Feb 27 00:34, Charles Wilson wrote: [snip] Wow, thanks for the quick implementation. Unfortunately I won't have time to look into this for now since I have to look into a Win2K problem with network paths. No problem. I just wanted to see how hard it was going to be -- and since it was my suggestions: money, meet mouth. Turns' out it wasn't really that hard at all to extract the necessary bits. (He says, having done zero testing...) (4a) rewrite syslog-ng-config to use it Okay, thanks. But actually, services which don't have to switch user accounts don't really need it. True, unless you want to create an unprivileged user for the service (unless, post-XP, even LocalSystem is considered unprivileged?) Erm... why are all these functions called csh_foo? Cygwin SHell? It sounds so much as if these functions are csh functions. Maybe cf or cyg would be a better prefix? Cygwin-Services-Helper. Since this is a function library that will be sourced into other scripts, I was trying to make sure it was, as far as possible, namespace clean: prefixes on all function names and public variables, ensure to label function-local vars as 'local' so they don't leak, etc. -- Chuck
cygwin-services-helper [was: Re: [ITA] inetutils-1.5-1]
Corinna Vinschen wrote: On Feb 25 20:46, Charles Wilson wrote: How about a new package, cygwin-services-helper or somesuch, that contains (1) a script [*] derived from the appropriate portion of sshd-host-config, whose job is to create the appropriate priveleged user (I like 'cygwin_svc') -- unless it already exists under either name ('cygwin_svc' or 'sshd_server'). (2) maybe another script [*] whose job is to ascertain whether such a user already exists, and return its name (or if not). It would be up to the calling foo-config to use these two scripts appropriately. And, of course, the user might have to enter the password for the priveleged user account twice: once when it is created, and then again (by foo-config) to install the service 'foo'. Then, openssh (and inetutils, and syslog-ng, and sysvinit, ...) could all depend on the cygwin-services-helper package. [*] or maybe a script function library somewhere like /usr/lib/cygwin-services/ that foo-config could 'source', and then call the functions directly. This would help the enter the password twice problem... Sounds good! The function library would be cool. Here's my first draft. Totally untested, almost nuthin' in the way of documentation...but I figured I'd post it now, because I won't have time for any more cygwin stuff until the weekend... TODO: (1) test, documentation, bughunt this function library (2) rewrite ssh-host-config to use it (3) rewrite iu-config to use it (4) rewrite syslog-config to use it (5) chase setup.exe bug with regards to inetutils' setup.hint (6) incorporate bugfix for rshd (and rexecd /does/ have a similar bug) (7) remove --install-as-service from inetd (7a) add code to read existing \\Parameters\ConfigFilePath REG_SZ,, instead of ignoring it completely in favor of \\Parameters\ConfigFilePaths REG_MULTI_SZ -- probably migrating it over to the new REG_MULTI_SZ, since new 1.5 code *expects* at least two entries in the char** config_files array. (8) batten down the hatches on default inetd.conf (9) update inetutils.README to reflect #7 #8 Yeesh. This is gonna take a while... -- Chuck #-- #!/bin/bash -- # cygwin_services_helper.sh # # This is a script library used to assist installing cygwin # services, such as sshd. It is derived in part from # # ssh-host-config (2008-02-25) Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # part of the Cygwin port of OpenSSH # # cygport (2008-02-25) Copyright (C) 2006, 2007 Yaakov Selkowitz # GPL v3 # # Do not attempt to run this file. Instead, it should be sourced by # configuration scripts (such as a newer version of ssh-host-config, # syslog-config, or iu-config) -- and that script should then use # the shell functions defined here. # # REQUIREMENTS: # SHELL must be bash # # PROVIDES: #csh_error #csh_error_multi #csh_warning #csh_inform #csh_verbose #csh_request #csh_is_nt #csh_is_nt2003 #csh_check_prog #csh_check_prog_req #csh_install_config #csh_make_dir #csh_privileged_user_name #csh_privileged_user_exists #csh_service_should_run_as #csh_check_mounts #csh_create_privileged_user #csh_create_unprivileged_user # # MUTABLE VARIABLES: # csh_FORCE_PRIVILEGED_USER # if yes, then create a privileged user even on NT/2k/XP # where it is not required (on those versions, LocalSystem # will do fine). # SYSCONFDIR # default value = /etc # LOCALSTATEDIR # default value = /var # csh_auto_answer # default value = (no automatic answers) csh_progname=$0 csh_progname_base=$(basename $csh_progname) csh_auto_answer= csh_FORCE_PRIVILEGED_USER=no if [ -z ${SYSCONFDIR} ] then SYSCONFDIR=/etc fi if [ -z ${LOCALSTATEDIR} ] then LOCALSTATEDIR=/var fi # messaging functions borrowed from cygport csh_error() { case $? in 0) local errorcode=1 ;; *) local errorcode=$? ;; esac echo -e \e[1;31m*** ERROR:\e[0;0m ${1:-no error message provided}; exit ${errorcode}; } csh_error_multi() { # used for multi-line error messages. case $? in 0) local errorcode=1 ;; *) local errorcode=$? ;; esac while test $# -gt 1 do echo -e \e[1;31m*** ERROR:\e[0;0m ${1}; shift done echo -e \e[1;31m*** ERROR:\e[0;0m ${1:-no error message provided}; exit ${errorcode}; } csh_warning() { echo -e \e[1;33m*** Warning:\e[0;0m ${1}; } csh_inform() { echo -e \e[1;32m*** Info:\e[0;0m ${1}; } csh_verbose() { echo [EMAIL PROTECTED] [EMAIL PROTECTED] return $? } csh_request() { local answer= if [ ${csh_auto_answer} = yes ] then echo $1 (yes/no) yes return 0 elif [ ${csh_auto_answer} = no ] then echo $1 (yes/no) no return 1 fi while [ X${answer} != Xyes -a X${answer} != Xno ] do echo -n $1 (yes/no) read -e answer done if [ X${answer} = Xyes ] then return 0 else return 1 fi }