Untangling security - W2K on NT domain

Untangling security - W2K on NT domain

[Steve Jorgensen]

Scenario:

Installed on a Windows 2K workstation and member of an NT 4 domain.

Using an account on the domain added to Administrators group on 
workstation, but merely a regular user on the domain.


Problem:

In the groups file, 513 is "None".  I thought that was only supposed to 
happen on a workgroup system.

Untarring files with tar -xvzf fails miserably (as same user as described 
above).  Permissions are set wrong on new directories, and extract fails on 
files destined for those directories because of inadequate permissions.

It would seem that I need to fix my /etc/passwd and/or /etc/group files, 
but I don't understand them well enough to know what to do.  What do I need 
to do here

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Untangling security - W2K on NT domain

[Corinna Vinschen]

On Sat, Jul 21, 2001 at 02:24:40AM -0700, Steve Jorgensen wrote:
> Scenario:
> 
> Installed on a Windows 2K workstation and member of an NT 4 domain.
> 
> Using an account on the domain added to Administrators group on 
> workstation, but merely a regular user on the domain.
> 
> 
> Problem:
> 
> In the groups file, 513 is "None".  I thought that was only supposed to 
> happen on a workgroup system.

On set `mkpasswd' is only called with -l option. Call it again
using the -d option.

> Untarring files with tar -xvzf fails miserably (as same user as described 
> above).  Permissions are set wrong on new directories, and extract fails on 
> files destined for those directories because of inadequate permissions.
> 
> It would seem that I need to fix my /etc/passwd and/or /etc/group files, 
> but I don't understand them well enough to know what to do.  What do I need 
> to do here

Call mkpasswd and mkgroup without options. That should give you a clue.
And calling them with options isn't dangerous at all since they both
write to stdout. A little disposition to play is very helpful sometimes.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Untangling security - W2K on NT domain

[Corinna Vinschen]

On Sun, Jul 22, 2001 at 01:30:12AM -0700, Steve Jorgensen wrote:
> What might be a nice goal for the future would be to ask the user if they 
> want to launch a security wizard after first-time setup.  The wizard would 
> ask a bunch of questions, then set up /etc/passwd and /etc/group, and run 
> chmod on everything that was just installed.  I don't know if I'd be able 
> to write something like this, but would you want it if I could do it 
> successfully?

With pleasure. If you like, you could participate in the efforts
which are currently in progress to make the setup tool way more
useful than it was already before. Today, only a small script
is run which creates a default /etc/passwd file by calling
`mkpasswd -l'. It would be useful to have a script or an extension
to setup which ask the user about the environment and the security
needs and then calls mkpasswd and mkgroup appropriately.

It would be useful to follow (and subscribe to) the cygwin-developers
and cygwin-patches mailing lists if you want to step in.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Untangling security - W2K on NT domain

[Steve Jorgensen]

On Sunday, July 22, 2001 1:11 AM, Corinna Vinschen [SMTP:cygwin@cygwin.com] 
wrote:
> On Sat, Jul 21, 2001 at 02:24:40AM -0700, Steve Jorgensen wrote:
> > Scenario:
> >
> > Installed on a Windows 2K workstation and member of an NT 4 domain.
> >
> > Using an account on the domain added to Administrators group on
> > workstation, but merely a regular user on the domain.
> >
> >
> > Problem:
> >
> > In the groups file, 513 is "None".  I thought that was only supposed to 
> > happen on a workgroup system.
>
> On set `mkpasswd' is only called with -l option. Call it again
> using the -d option.
>
> > Untarring files with tar -xvzf fails miserably (as same user as 
described
> > above).  Permissions are set wrong on new directories, and extract 
fails on
> > files destined for those directories because of inadequate permissions.
> >
> > It would seem that I need to fix my /etc/passwd and/or /etc/group 
files,
> > but I don't understand them well enough to know what to do.  What do I 
need
> > to do here
>
> Call mkpasswd and mkgroup without options. That should give you a clue.
> And calling them with options isn't dangerous at all since they both
> write to stdout. A little disposition to play is very helpful sometimes.
>

I guess I'm figuring that out (about playing, that is).  It's a bit 
worrisome, though with regard to being easy for new users to get started. 
 It was bone simple to set everything up the way I wanted it on W98 (where 
security is non-existent), but I can't even untar a package on my W2K box 
without learning a whole new skill.  I think I'm up to it (now that I 
realized everything I need is in the freakin' manual I should have looked 
at in the first place), but it took me a while to realize that passwd and 
group files were even something I needed to concern myself with or that 
they were related to the trouble I was having.

What might be a nice goal for the future would be to ask the user if they 
want to launch a security wizard after first-time setup.  The wizard would 
ask a bunch of questions, then set up /etc/passwd and /etc/group, and run 
chmod on everything that was just installed.  I don't know if I'd be able 
to write something like this, but would you want it if I could do it 
successfully?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Untangling security - W2K on NT domain

[Steve Jorgensen]

More detail on this issue.

System/network:
	Windows 2000 workstation
	Member of NT domain (server is NT 4.0)

Cygwin security settings:
	Nothing changed after normal install.
	$CYGWIN contains "binmode tty ntsec"

User for install/tests:
	Member of "Domain Users" on domain.
	Member of "<localmachine>\Administrators".

Directory/file permissions after install (setup.exe):
	Domain group "Everyone" has full permission to everything.
	Allow inheritable permissions... enabled on everything.

Permissions of folder created from Cygwin bash using mkdir:
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	"Everyone" has all permissions except "Full Control"
	-- "<localmachine>\None" has all permissions except "Full Control" (?1) --
	Allow inheritable permissions... disabled.

Permissions of folder created during tar -xvzf ... into existing folder 
made by setup.exe:
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	-- "Everyone" has only read, list, and execute, no write (?2) --
	"<localmachine>\None" has all permissions except "Full Control"
	Allow inheritable permissions... disabled.

Permissions of folder created during tar -xvzf ... into folder created by 
mkdir from Cygwin (?3):
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	"Everyone" has all permissions except "Full Control"
	"<localmachine>None" has all permissions except "Full Control"
	Allow inheritable permissions... disabled.


Questions/issues:

(?1)
According to 
http://sources.redhat.com/cygwin/cygwin-ug-net/ntsec.html#NTSEC-FILES , the 
None group should only appear when installing on a workgroup system, not a 
domain member.  Should be "Domain Users", not "None".

(?2)
Untar fails badly because, after it creates a directory, is has 
insufficient permission to add files to it.  To delete or modify these 
directories, I have to first take ownership because, though I'm a member of 
"<machine>\Administrators", I'm not "<machine>\Administrator"

(?3)
OK, so untar will at least function if extract is into a directory I 
created using mkdir, but this doesn't help if I have to untar from /.  I 
suppose it would work right if I first manually changed all the directory 
permissions to something like what I get when I create a directory with 
mkdir.  I'm not sure the best way to do this, and I'm not sure if I'd want 
to since everything isn't looking like it's supposed to in the first place.
I suppose if I do want to keep using "None", I would use chmod on 
everything to change the permissions to something that nominally works.

Can anyone help my untangle this knot?

On Saturday, July 21, 2001 2:25 AM, Steve Jorgensen [SMTP:jorgens@coho.net] 
wrote:
> Scenario:
>
> Installed on a Windows 2K workstation and member of an NT 4 domain.
>
> Using an account on the domain added to Administrators group on
> workstation, but merely a regular user on the domain.
>
>
> Problem:
>
> In the groups file, 513 is "None".  I thought that was only supposed to
> happen on a workgroup system.
>
> Untarring files with tar -xvzf fails miserably (as same user as described 
> above).  Permissions are set wrong on new directories, and extract fails 
on
> files destined for those directories because of inadequate permissions.
>
> It would seem that I need to fix my /etc/passwd and/or /etc/group files,
> but I don't understand them well enough to know what to do.  What do I 
need
> to do here
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/