X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Brian Kasper <bkasper AT socal DOT rr DOT com>
Subject:  Re: "/bin/bash: permission denied" on WinXP 2003 x64 solved (privilege   problem)
Date:  Mon, 13 Aug 2007 04:53:55 -0700
Lines: 70
Message-ID: <f9pgn4$kla$1@sea.gmane.org>
References:  <f9p9if$rqb$1 AT sea DOT gmane DOT org> <20070813112930 DOT GB17084 AT calimero DOT vinschen DOT de>
Mime-Version:  1.0
Content-Type:  text/plain; charset=ISO-8859-1
Content-Transfer-Encoding:  7bit
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
In-Reply-To: <20070813112930.GB17084@calimero.vinschen.de>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
>> I was seeing errors in the system event log, but unfortunately I'm not
>> very experienced with Windows security, so I wasn't understanding what I
>> was seeing.
> 
> When you set up a server it makes a lot of sense trying to understand
> Windows security.  Besides of books, I would suggest to have a look
> into the MSDN library.  For instance, a description of the privileges
> is given here: http://msdn2.microsoft.com/en-us/library/bb530716.aspx

Thanks for the pointer.  I'm much more familiar with Linux/UNIX security
than I am with Windows security, so the more I can learn the better.

>> As it turns out, all my problems were caused by the fact that the
>> sshd_server user being created by the ssh-host-config script was not
>> being given all the required privileges.
> 
> This is weird.  The ssh-host-config script usually makes sure that
> the sshd_server user got all required privileges.  See the script
> at line 517ff.

I'm not at work right now, and unfortunately I can't access the gmane
news server from  work, but I'll check out the script.  I agree it's
weird; perhaps it's due to either the 64-bitness of the OS, or the fact
that the OS is (as far as I know) based on the server version of Windows
XP ....

>> I'm not sure why, but I found
>> an online description of the rights required by sshd_server and used the
>> "editrights" utility to grant them.
> 
> You really wouldn't have needed an online description.  The script
> contains all of them ;)

Yep, I should have looked at the script, but I was trying to find
possible fixes using Google searches and happened across a website that
listed them, so I used that.

If I get the chance, I'll delete the sshd_server user from that system
and re-run the ssh-host-config script to see what privileges it assigns
to sshd_server.

>> In case the information helps anyone else, here is a list of the
>> privileges that the sshd_server user appears to need:
>>
>> SeIncreaseQuotaPrivilege
>> SeTcbPrivilege
>> SeAssignPrimaryTokenPrivilege
>> SeCreateTokenPrivilege
>> SeServiceLogonRight
>> SeDenyInteractiveLogonRight
>> SeDenyNetworkLogonRight
>> SeDenyRemoteInteractiveLogonRight
>>
>> To determine which privileges sshd_server has on your system, use this
>> command:
>>
>> editrights -u sshd_server -l
>>
>> And here are the commands necessary to grant the above privileges to
>> sshd_server:
>> [...]
> 
> As I said, see /bin/ssh-host-config, lines 517ff.  The Deny-"rights" are
> obviously not necessary.  They are just used to secure the account
> against malusage.

That makes sense.  Thanks again for taking the time to read and respond.

-B


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/