Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com From: "Rodrigo Serra" To: "'Pierre A. Humblet'" Cc: Subject: RE: su questions Date: Fri, 4 Apr 2003 17:50:23 -0300 Message-ID: <000001c2faeb$d031ac10$0102a8c0@rmserra.com.ar> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3718.0 Importance: Normal In-Reply-To: <3E8DDE92.F567A838@ieee.org> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id h34KoPg00818 Pierre Yes the account of the test is SYSTEM. I search on msdn and found a tiny explanation of how privileges are needed to run the SeCreateTokenPrivilege api. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se curity/authorization_constants.asp The page show the privilege "Create a token object". upsss I create a new user named init, and assigned privileges "Act as part of the operating system", "Create a token object", "Log on as service", and "Replace a process level token" and the ssh and su with no password prompt work!!! I not understand what happened. In the documentation of openssh mentioned the necessary privileges and not indicate "Create a token object" but indicate "Increase quotas". This privileges not exists in my Windows .net Well now setguid works in my Windows .net box. Rodrigo -----Mensaje original----- De: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] En nombre de Pierre A. Humblet Enviado el: Viernes, 04 de Abril de 2003 04:36 p.m. Para: Rodrigo Serra CC: cygwin AT cygwin DOT com Asunto: Re: su questions Rodrigo Serra wrote: > > Pierre, > > I follow your instructions and su command fails with "access denied" > message. Attached file is the output of strace. > > Rodrigo > 2070 29565 [main] su 2316 seterrno_from_win_error: /netrel/src/cygwin-1.3.22-1/winsup/cygwin/sec_helper.cc:340 windows error 1300 175 29740 [main] su 2316 geterrno_from_win_error: unknown windows error 1300, setting errno to 13 58 29798 [main] su 2316 set_process_privilege: -1 = set_process_privilege (SeCreateTokenPrivilege, 1) 65 29863 [main] su 2316 create_token: -1 = create_token () So on your machine, SYSTEM does not have SeCreateTokenPrivilege That's unexpected. "id" was showing that you were running as SYSTEM when you issued the su command. Correct? Does any one know about the peculiarities of "Windows.NET Server 2003" RC2 and how to enable this privilege? Pierre > -----Mensaje original----- > De: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] En nombre de > Pierre A. Humblet > Enviado el: Viernes, 04 de Abril de 2003 11:40 a.m. > Para: Rodrigo Serra > CC: cygwin AT cygwin DOT com > Asunto: Re: su questions > > Rodrigo Serra wrote: > > > > Pierre, > > > > The cygwin environment is binmode ntsec tty. This following string is > > extracted from cygwin1.dll "1.3.22-dontuse-21". Windows is "Windows.NET > > Server 2003" RC2. > > > > This happen only when try to use no password authentication. > > > OK, It may have to do with your version of Windows > I need your help for some debugging > > 1) Edit /etc/passwd to > a) remove the passwd of SYSTEM > b) add a home directory for SYSTEM (e.g. /) > c) add a shell for SYSTEM > d) remove your password (uid 1003) > 2) telnet localhost and login as SYSTEM > It should let you in without password > You are now running as SYSTEM, confirm with "id" > 3) su yourself (uid 1003) > If that fails: > 4) strace -o trace su yourself > and send me the trace > 5) Put the SYSTEM password back if your machine is directly accessible. > > Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/