Bug in csih

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Dec 19 13:08:00 GMT 2011


Hi Chuck,


during some testing I suddenly found that I couldn't start an sshd which
I had just installed as a service.  The reason was that the account I
was using for the service didn't have the "Logon as service" user right.
Which was puzzeling given that csih calls editrights to add this user
right.

It turned out that the following test in cygwin-service-installation-helper.sh
is incorrect (line 2264):

  if ! csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${user}.?$"

The problem occurs if the user account is a domain account.  In that
case membership in the local administrators group is often only
indirectly given by being the member in a domain group which in turn
is member in the Administrators group.  Example:

  "DOMAIN\user" is member of "DOMAIN\Domain Admins"
  "DOMAIN\Domain Admins" is member of "Administrators"

However, the `net localgroup' command does not resolve group memberships.
`net localgroup Administrators' on a domain member machine returns:

  Alias name     Administrators
  Comment        [...blah...]

  Members

  -----------------------------------
  Administrator
  VINSCHEN\Domain Admins
  The command completed successfully.

Calling `net localgroup Administrators /domain' isn't sufficient either,
since it also doesn't return indirect memberships.

Therefore I think the test for being a member of the admins group is
invalid and should just go away.  The current behaviour is too surprising
in a domain environment.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-apps mailing list