This is the mail archive of the cygwin-apps mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi Achim, On Apr 2 11:27, Achim Gratz wrote: > Corinna Vinschen writes: > >> There's another fix that should probably go into the scripts: The > >> service users should get SeDenyInteractiveLogonRight (they already have > >> SeDenyRemoteLogonRight). At least on my Windows7 Pro/64bit laptop the > >> accounts show up on the login screen otherwise. > > > > Still, https://cygwin.com/acronyms/#PGA? Really, I mean it. > > Sorry, I was temporarily out of round tuits. > > Index: cygwin-service-installation-helper.sh > =================================================================== > RCS file: /cvs/cygwin-apps/csih/cygwin-service-installation-helper.sh,v > retrieving revision 1.37 > diff -r1.37 cygwin-service-installation-helper.sh > 3038a3039 > > /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} && diff -up, please, it's much easier to read. > OK to commit? Yes, please apply. > BTW, is there some deeper reason to use > > /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} && > /usr/bin/editrights -a SeCreateTokenPrivilege -u ${csih_PRIVILEGED_USERNAME} && > /usr/bin/editrights -a SeTcbPrivilege -u ${csih_PRIVILEGED_USERNAME} && > /usr/bin/editrights -a SeDenyInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} && > /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${csih_PRIVILEGED_USERNAME} && > /usr/bin/editrights -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} && > username_got_all_rights="yes" > > instead of > > /usr/bin/editrights \ > -a SeAssignPrimaryTokenPrivilege -a SeCreateTokenPrivilege -a SeTcbPrivilege \ > -a SeDenyInteractiveLogonRight -a SeDenyRemoteInteractiveLogonRight \ > -a SeServiceLogonRight -u ${csih_PRIVILEGED_USERNAME} && > username_got_all_rights="yes" > > ? Because if there is, that seems like a bug in editrights that should > be fixed. That should work. IIUC Chuck was trying to check if every single right has been granted, but the single call to editrights should do the same thing, given that it calls LsaAddAccountRights and returns an error if that function returns an error. Feel free to apply a patch after testing. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pgpSrn8Jqnn_g.pgp
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |