This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [ATTN Maintainer] csih

From: Achim Gratz <Stromeko at nexgo dot de>
To: cygwin-apps at cygwin dot com
Date: Thu, 02 Apr 2015 11:27:59 +0200
Subject: Re: [ATTN Maintainer] csih
Authentication-results: sourceware.org; auth=none
References: <87k2xzftp0 dot fsf at Rainer dot invalid> <20150330072905 dot GG29875 at calimero dot vinschen dot de> <87lhidvt45 dot fsf at Rainer dot invalid> <20150401074611 dot GM13285 at calimero dot vinschen dot de>

Corinna Vinschen writes:
>> There's another fix that should probably go into the scripts: The
>> service users should get SeDenyInteractiveLogonRight (they already have
>> SeDenyRemoteLogonRight).  At least on my Windows7 Pro/64bit laptop the
>> accounts show up on the login screen otherwise.
>
> Still, https://cygwin.com/acronyms/#PGA?  Really, I mean it.

Sorry, I was temporarily out of round tuits.

Index: cygwin-service-installation-helper.sh
===================================================================
RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v
retrieving revision 1.37
diff -r1.37 cygwin-service-installation-helper.sh
3038a3039
>         /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&

OK to commit?

BTW, is there some deeper reason to use

        /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
        /usr/bin/editrights -a SeCreateTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
        /usr/bin/editrights -a SeTcbPrivilege -u ${csih_PRIVILEGED_USERNAME} &&
        /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
        /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
        /usr/bin/editrights -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
        username_got_all_rights="yes"

instead of

        /usr/bin/editrights \
          -a SeAssignPrimaryTokenPrivilege -a SeCreateTokenPrivilege -a SeTcbPrivilege \
          -a SeDenyInteractiveLogonRight -a SeDenyRemoteInteractiveLogonRight \
          -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} &&
        username_got_all_rights="yes"

?  Because if there is, that seems like a bug in editrights that should
be fixed.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables

Follow-Ups:
- Re: [ATTN Maintainer] csih
  - From: Corinna Vinschen

References:
- Re: [ATTN Maintainer] csih
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]