Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Date:	Sat, 13 Jul 2002 10:58:23 -0400
From:	Jason Tishler <jason AT tishler DOT net>
Subject:	Re: setuid() problem when disconnected from PDC under 1.3.12-2
In-reply-to:	<20020712120736.GA2372@tishler.net>
To:	cygwin AT cygwin DOT com
Mail-followup-to:	cygwin AT cygwin DOT com
Message-id:	<20020713145823.GK2372@tishler.net>
MIME-version:	1.0
User-Agent:	Mutt/1.4i
References:	<20020712120736 DOT GA2372 AT tishler DOT net>

--Boundary_(ID_pC3wCdndynbBemaIsW+CDw)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline

On Fri, Jul 12, 2002 at 08:07:36AM -0400, Jason Tishler wrote:
> On Tue, Jul 09, 2002 at 11:44:33PM -0400, Matt Swift wrote:
> > A recent upgarde of openssh has broken incoming ssh service.  When I
> > debug the sshd, I see the error below in the Event Viewer...
> > [snip]
> > fatal: setuid 1006: Permission denied.
> 
> I am experiencing a possibly related problem with sshd under 1.3.12-2.
> If I ssh to my laptop when disconnected from my PDC, then key exchange
> fails with the above error.

The following is a snippet from a strace (of the attached setuid.cc
running under the LocalSystem account) that shows what is happening in
the above case:

  123  148512 [main] setuid 2672 seteuid32: uid: 19695 myself->gid: 18
  192  148704 [main] setuid 2672 seteuid32: Process token not verified
 1659  150363 [main] setuid 2672 set_process_privilege: 0 = set_process_privilege (SeCreateTokenPrivilege, 1)
 1438  151801 [main] setuid 2672 extract_nt_dom_user: pw_gecos = A011350 (Jason Tishler,U-PALO-ALTO\JATIS,S-1-5-21-136257377-364972176-1563891627-119695)
2305210 2457011 [main] setuid 2672 seterrno_from_win_error: ../../../../src/winsup/cygwin/security.cc:278 windows error 2453
                                        ^^^^
                                        ****
  384 2457395 [main] setuid 2672 geterrno_from_win_error: unknown windows error 2453, setting errno to 13

Note that the Windows error 2453 corresponds to NERR_DCNotFound.

The corresponding code from the Cygwin DLL is:

BOOL
get_logon_server (const char *domain, char *server, WCHAR *wserver)
{
  ...
  /* Try to get the primary domain controller for the domain */
  sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1);
  if ((ret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS)
    {
      ...
    }
  __seterrno_from_win_error (ret);
  return FALSE;
}

So, it seems that get_logon_server() will always fail for domain users
when they are disconnected from their PDC.

I haven't figured out how to fix the above yet but at least I have
better characterized the problem.

Jason

--Boundary_(ID_pC3wCdndynbBemaIsW+CDw)
Content-type: text/plain; charset=us-ascii; NAME=setuid.cc
Content-transfer-encoding: 7BIT
Content-disposition: attachment; filename=setuid.cc

#include <stdio.h>
#include <sys/errno.h>
#include <unistd.h>
#include <stdlib.h>

int
main(int argc, char* argv[])
{
	int uid = 500;
	if (argc > 1)
		uid = atoi(argv[1]);
	int s = setuid(uid);
	if (s == -1)
		printf("setuid failed with errno = %d\n", errno);

	return 33;
}


--Boundary_(ID_pC3wCdndynbBemaIsW+CDw)
Content-Type: text/plain; charset=us-ascii

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--Boundary_(ID_pC3wCdndynbBemaIsW+CDw)--

- Raw text -