Mail Archives: cygwin/2006/12/20/16:50:07

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2006/12/20/16:50:07

X-Spam-Check-By: sourceware.org

Message-Id: <200612202149.kBKLngio023616@tigris.pounder.sol.net>

To: cygwin AT cygwin DOT com

From: cygzx AT trodman DOT com (Tom Rodman)

Reply-to: cygwin AT cygwin DOT com

X-note: From should match addr u signed up w/, else post will not show for > 90 min (3/2005)

Subject: OT observation: displaying share perms while in an ssh session

X-note: getting started: oPS1=$PS1 PS1="\w $ " cd; date;uname -a

X-note: for a response to thread, think we need both "In-Reply-To", and "references"

X-note: re cygcheck.out o filter through /adm/bin/app/s/post_scrub_*1 o after mhbuild, if cygcheck.out attached, add this after "Content-Type" line: Content-Disposition: attachment; filename="cygcheck.out"

X-note: o cygcheck -s |egrep '^Runni' #use to document "where you are"

X-note: COMMON MISTAKEs: o leaving off real name "(Tom Rodman)" in From: o forgetting "rebaseall" (not needed for cygwin1.dll snaps tho) o besure to *reload* http://cygwin.com/snapshots/ # to get absolute latest o get all latest packages, not just latest snapshot o adjust the reply quoting to *not* use real email addresses o do not enclose huge attachments, put them on yz4.org instead

Date: Wed, 20 Dec 2006 15:49:41 -0600

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Thought this was interesting. My theory: if your in a cygwin
*password* *authenticated* ssh session, and you try to get a reporting
of the permissions for a network share, that the report will fail,
unless SYSTEM has read rights on the share.

Both examples below were invoked on the same host ( OurSrvr063 )
as a user in the administrators group.
Sorry.. my examples are using a third party tool called setacl:

    $ cygcheck -f /usr/bin/ssh
    openssh-4.3p2-3
    $ uname -a
    CYGWIN_NT-5.2 OurSrvr063 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin

  failing example:

    $ setacl -on '\\c7mdc063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
    Info: Privilege 'Back up files and directories' could not be enabled. This can probably be ignored.
    Info: Privilege 'Restore files and directories' could not be enabled. This can probably be ignored.
    ERROR reading SD from <\\c7mdc063\d_drive>: The object has a NULL security descriptor
    --snip

  working example (share same except that "SYSTEM read" was added):

    $ setacl -on '\\OurSrvr063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
    \\OurSrvr063\d_drive

       Owner: BUILTIN\Administrators

       Group: DOMxx1\Domain Users

       DACL(not_protected):
       BUILTIN\Administrators   full   allow   no_inheritance
    --snip
       DOMxx1\devbuild   read   allow   no_inheritance
       OurSrvr063\Informix-Admin   full   allow   no_inheritance
       S-1-5-21-1177238915-1979792683-1801674531-2119   read   allow   no_inheritance
       DOMxx1\XYZ_ES_STAFF   read   allow   no_inheritance
       DOMxx1\sehandof   read   allow   no_inheritance
       NT AUTHORITY\SYSTEM   read   allow   no_inheritance
    --snip

BTW window's "whoami" displays the username of the account that goes
with the password that was entered to start the ssh session;
remember that the ssh sessions above are *password* *authenticated*.

So for those shares I define, I plan to add "SYSTEM read".  I just tried
displaying the share perms in an ssh session on a windows 2000 box and
it worked fine w/o the 'SYSTEM read' allow ace, so (at least for us)
this appears to be specific to windows 2003 (server).

Admittedly this is barely worth posting, and I'm not expecting any
response.

--
thanks,
Tom


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Message-Id:	<200612202149.kBKLngio023616@tigris.pounder.sol.net>
To:	cygwin AT cygwin DOT com
From:	cygzx AT trodman DOT com (Tom Rodman)
Reply-to:	cygwin AT cygwin DOT com
X-note:	From should match addr u signed up w/, else post will not show for > 90 min (3/2005)
Subject:	OT observation: displaying share perms while in an ssh session
X-note:	getting started: oPS1=$PS1 PS1="\w $ " cd; date;uname -a
X-note:	for a response to thread, think we need both "In-Reply-To", and "references"
X-note:	re cygcheck.out o filter through /adm/bin/app/s/post_scrub_*1 o after mhbuild, if cygcheck.out attached, add this after "Content-Type" line: Content-Disposition: attachment; filename="cygcheck.out"
X-note:	o cygcheck -s \|egrep '^Runni' #use to document "where you are"
X-note:	COMMON MISTAKEs: o leaving off real name "(Tom Rodman)" in From: o forgetting "rebaseall" (not needed for cygwin1.dll snaps tho) o besure to reload http://cygwin.com/snapshots/ # to get absolute latest o get all latest packages, not just latest snapshot o adjust the reply quoting to not use real email addresses o do not enclose huge attachments, put them on yz4.org instead
Date:	Wed, 20 Dec 2006 15:49:41 -0600
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com