Re: How do I figure out why LogonUserA is failing?

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Mon, Nov 12, 2001 at 04:39:04PM -0700, Mark Paulus wrote:
> Hi,
> 
> I've tried various permutations of things in /etc/passwd in order
> to make login work, and I can't seem to get the correct things worked.
> 
> My machine is running Win2K/SP2, connected to a domain, and 
> roaming profiles are enabled.  I have tried doing a mkpasswd -l
> and then doing a login <myUserid> with my normal windows password,
> and failure.
> I have tried doing a mkpasswd -d and then doing a login <myUserid>
> with my normal windows passwd, and failure.
> 
> Where/what is the silver bullet to getting this login stuff to work.
> I ultimately want to be able to define root as a user, and be able to 
> login to that account for some work, but I can't seem to get any
> of it working.  I have read the NT security and the ntsec usage
> guide, and I think I comprehend most of what's in there, but I
> can't figure out this one....
> 
> Any pointers would be appreciated....

LogonUser/CreateProcessAsUser need special user rights.  This rights
are not given to user accounts, not even to admins.  Only SYSTEM has
that user rights by default.  That's the reason that login only
works when started from telnetd or rlogind, started from inetd which
itself is running as service under SYSTEM account.

login(1) is not intended for use on the command line under Cygwin.

Shouldn't we create a FAQ for that?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[David Starks-Browning]

On Tuesday 13 Nov 01, Corinna Vinschen writes:
> LogonUser/CreateProcessAsUser need special user rights.  This rights
> are not given to user accounts, not even to admins.  Only SYSTEM has
> that user rights by default.  That's the reason that login only
> works when started from telnetd or rlogind, started from inetd which
> itself is running as service under SYSTEM account.
> 
> login(1) is not intended for use on the command line under Cygwin.
> 
> Shouldn't we create a FAQ for that?

There is already something about why there is no su, but it goes on to
say (indirectly) that login(1) may be a substitute.  I will amend it to
include the information you provide above.

(I don't know about this stuff myself, so I can't put it in the FAQ
until I get concise, pithy emails like this one.  Thanks Corinna!)

Cheers,
David


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

Thanks, David.

You should probably add the following info:

Login works fine on 9x/Me on the command line since there are no
special user rights or any other form of security at all.

It works if the _calling_ user account got the needed user rights:

  "Act as part of the operating system" (up to W2K, not needed since XP)
  "Replace process level token"
  "Increase quotas"

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

Sorry David, that's missing:

On Tue, Nov 13, 2001 at 02:05:31PM +0100, Corinna Vinschen wrote:
>   "Act as part of the operating system" (up to W2K, not needed since XP)
>   "Replace process level token"
>   "Increase quotas"

...which are _very_ powerful user rights which shouldn't be given
to ordinary user accounts!

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Mark Paulus]

So,

If I understand this little diddy, one shouldn't just up and do a
"login root"?  If that is the case, then what does one do to "become"
another user?  I have gotten it to work by telnetting back to my machine
and logging in as root that way, but that is rather "klunky", in my opinion.
However, if that is the ONLY way to do it, then so be it.  It should be 
documented as such, though.....


On Tue, 13 Nov 2001 11:41:58 +0000, David Starks-Browning wrote:

>On Tuesday 13 Nov 01, Corinna Vinschen writes:
>> LogonUser/CreateProcessAsUser need special user rights.  This rights
>> are not given to user accounts, not even to admins.  Only SYSTEM has
>> that user rights by default.  That's the reason that login only
>> works when started from telnetd or rlogind, started from inetd which
>> itself is running as service under SYSTEM account.
>> 
>> login(1) is not intended for use on the command line under Cygwin.
>> 
>> Shouldn't we create a FAQ for that?
>
>There is already something about why there is no su, but it goes on to
>say (indirectly) that login(1) may be a substitute.  I will amend it to
>include the information you provide above.
>
>(I don't know about this stuff myself, so I can't put it in the FAQ
>until I get concise, pithy emails like this one.  Thanks Corinna!)
>
>Cheers,
>David
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Larry Hall (RFK Partners, Inc)]

At 09:59 AM 11/13/2001, Mark Paulus wrote:
>So,
>
>If I understand this little diddy, one shouldn't just up and do a
>"login root"?  If that is the case, then what does one do to "become"
>another user?  I have gotten it to work by telnetting back to my machine
>and logging in as root that way, but that is rather "klunky", in my opinion.
>However, if that is the ONLY way to do it, then so be it.  It should be 
>documented as such, though.....

Corinna's explanation indicates that rlogin would work as well, if that
seems less "klunky" to you.

I believe that it's David's and Corinna's intention to document this 
issue in the FAQ.  Since David maintains the FAQ and does it in a notably
timely manner, I think you'll see something here soon.


>On Tue, 13 Nov 2001 11:41:58 +0000, David Starks-Browning wrote:
>
> >On Tuesday 13 Nov 01, Corinna Vinschen writes:
> >> LogonUser/CreateProcessAsUser need special user rights.  This rights
> >> are not given to user accounts, not even to admins.  Only SYSTEM has
> >> that user rights by default.  That's the reason that login only
> >> works when started from telnetd or rlogind, started from inetd which
> >> itself is running as service under SYSTEM account.
> >> 
> >> login(1) is not intended for use on the command line under Cygwin.
> >> 
> >> Shouldn't we create a FAQ for that?
> >
> >There is already something about why there is no su, but it goes on to
> >say (indirectly) that login(1) may be a substitute.  I will amend it to
> >include the information you provide above.
> >
> >(I don't know about this stuff myself, so I can't put it in the FAQ
> >until I get concise, pithy emails like this one.  Thanks Corinna!)
> >
> >Cheers,
> >David
> >
> >
> >--
> >Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> >Bug reporting:         http://cygwin.com/bugs.html
> >Documentation:         http://cygwin.com/docs.html
> >FAQ:                   http://cygwin.com/faq/
>
>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Tue, Nov 13, 2001 at 10:06:25AM -0500, Larry Hall (RFK Partners, Inc) wrote:
> At 09:59 AM 11/13/2001, Mark Paulus wrote:
> >So,
> >
> >If I understand this little diddy, one shouldn't just up and do a
> >"login root"?  If that is the case, then what does one do to "become"
> >another user?  I have gotten it to work by telnetting back to my machine
> >and logging in as root that way, but that is rather "klunky", in my opinion.

You're right... from a POSIX system point of view.  However, we're
on a Windows system.  NT has a completely different way of handling
security issues.  Cygwin is just a user space DLL on top of Win32
and (sometimes) native NT API.

You know the `Run as user' functionality on W2K/XP?  It's done the
same "klunky" way as if you use Cygwins' telnet/rlogin/ssh to
change user context.  It's using a service process running under
SYSTEM account.  Surprise, surprise...

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Tue, Nov 13, 2001 at 04:44:33PM +0100, Corinna Vinschen wrote:
> On Tue, Nov 13, 2001 at 10:06:25AM -0500, Larry Hall (RFK Partners, Inc) wrote:
> > At 09:59 AM 11/13/2001, Mark Paulus wrote:
> > >So,
> > >
> > >If I understand this little diddy, one shouldn't just up and do a
> > >"login root"?  If that is the case, then what does one do to "become"
> > >another user?  I have gotten it to work by telnetting back to my machine
> > >and logging in as root that way, but that is rather "klunky", in my opinion.
> 
> You're right... from a POSIX system point of view.  However, we're
> on a Windows system.  NT has a completely different way of handling
> security issues.  Cygwin is just a user space DLL on top of Win32
> and (sometimes) native NT API.

                               ... which means, we can't just speak
a spell and get rid of NT security issues.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

Sorry David, that's missing:

On Tue, Nov 13, 2001 at 02:05:31PM +0100, Corinna Vinschen wrote:
>   "Act as part of the operating system" (up to W2K, not needed since XP)
>   "Replace process level token"
>   "Increase quotas"

...which are _very_ powerful user rights which shouldn't be given
to ordinary user accounts!

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Larry Hall (RFK Partners, Inc)]

At 09:59 AM 11/13/2001, Mark Paulus wrote:
>So,
>
>If I understand this little diddy, one shouldn't just up and do a
>"login root"?  If that is the case, then what does one do to "become"
>another user?  I have gotten it to work by telnetting back to my machine
>and logging in as root that way, but that is rather "klunky", in my opinion.
>However, if that is the ONLY way to do it, then so be it.  It should be 
>documented as such, though.....

Corinna's explanation indicates that rlogin would work as well, if that
seems less "klunky" to you.

I believe that it's David's and Corinna's intention to document this 
issue in the FAQ.  Since David maintains the FAQ and does it in a notably
timely manner, I think you'll see something here soon.


>On Tue, 13 Nov 2001 11:41:58 +0000, David Starks-Browning wrote:
>
> >On Tuesday 13 Nov 01, Corinna Vinschen writes:
> >> LogonUser/CreateProcessAsUser need special user rights.  This rights
> >> are not given to user accounts, not even to admins.  Only SYSTEM has
> >> that user rights by default.  That's the reason that login only
> >> works when started from telnetd or rlogind, started from inetd which
> >> itself is running as service under SYSTEM account.
> >> 
> >> login(1) is not intended for use on the command line under Cygwin.
> >> 
> >> Shouldn't we create a FAQ for that?
> >
> >There is already something about why there is no su, but it goes on to
> >say (indirectly) that login(1) may be a substitute.  I will amend it to
> >include the information you provide above.
> >
> >(I don't know about this stuff myself, so I can't put it in the FAQ
> >until I get concise, pithy emails like this one.  Thanks Corinna!)
> >
> >Cheers,
> >David
> >
> >
> >--
> >Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> >Bug reporting:         http://cygwin.com/bugs.html
> >Documentation:         http://cygwin.com/docs.html
> >FAQ:                   http://cygwin.com/faq/
>
>
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Mon, Nov 12, 2001 at 04:39:04PM -0700, Mark Paulus wrote:
> Hi,
> 
> I've tried various permutations of things in /etc/passwd in order
> to make login work, and I can't seem to get the correct things worked.
> 
> My machine is running Win2K/SP2, connected to a domain, and 
> roaming profiles are enabled.  I have tried doing a mkpasswd -l
> and then doing a login <myUserid> with my normal windows password,
> and failure.
> I have tried doing a mkpasswd -d and then doing a login <myUserid>
> with my normal windows passwd, and failure.
> 
> Where/what is the silver bullet to getting this login stuff to work.
> I ultimately want to be able to define root as a user, and be able to 
> login to that account for some work, but I can't seem to get any
> of it working.  I have read the NT security and the ntsec usage
> guide, and I think I comprehend most of what's in there, but I
> can't figure out this one....
> 
> Any pointers would be appreciated....

LogonUser/CreateProcessAsUser need special user rights.  This rights
are not given to user accounts, not even to admins.  Only SYSTEM has
that user rights by default.  That's the reason that login only
works when started from telnetd or rlogind, started from inetd which
itself is running as service under SYSTEM account.

login(1) is not intended for use on the command line under Cygwin.

Shouldn't we create a FAQ for that?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Tue, Nov 13, 2001 at 04:44:33PM +0100, Corinna Vinschen wrote:
> On Tue, Nov 13, 2001 at 10:06:25AM -0500, Larry Hall (RFK Partners, Inc) wrote:
> > At 09:59 AM 11/13/2001, Mark Paulus wrote:
> > >So,
> > >
> > >If I understand this little diddy, one shouldn't just up and do a
> > >"login root"?  If that is the case, then what does one do to "become"
> > >another user?  I have gotten it to work by telnetting back to my machine
> > >and logging in as root that way, but that is rather "klunky", in my opinion.
> 
> You're right... from a POSIX system point of view.  However, we're
> on a Windows system.  NT has a completely different way of handling
> security issues.  Cygwin is just a user space DLL on top of Win32
> and (sometimes) native NT API.

                               ... which means, we can't just speak
a spell and get rid of NT security issues.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

Thanks, David.

You should probably add the following info:

Login works fine on 9x/Me on the command line since there are no
special user rights or any other form of security at all.

It works if the _calling_ user account got the needed user rights:

  "Act as part of the operating system" (up to W2K, not needed since XP)
  "Replace process level token"
  "Increase quotas"

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Corinna Vinschen]

On Tue, Nov 13, 2001 at 10:06:25AM -0500, Larry Hall (RFK Partners, Inc) wrote:
> At 09:59 AM 11/13/2001, Mark Paulus wrote:
> >So,
> >
> >If I understand this little diddy, one shouldn't just up and do a
> >"login root"?  If that is the case, then what does one do to "become"
> >another user?  I have gotten it to work by telnetting back to my machine
> >and logging in as root that way, but that is rather "klunky", in my opinion.

You're right... from a POSIX system point of view.  However, we're
on a Windows system.  NT has a completely different way of handling
security issues.  Cygwin is just a user space DLL on top of Win32
and (sometimes) native NT API.

You know the `Run as user' functionality on W2K/XP?  It's done the
same "klunky" way as if you use Cygwins' telnet/rlogin/ssh to
change user context.  It's using a service process running under
SYSTEM account.  Surprise, surprise...

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[Mark Paulus]

So,

If I understand this little diddy, one shouldn't just up and do a
"login root"?  If that is the case, then what does one do to "become"
another user?  I have gotten it to work by telnetting back to my machine
and logging in as root that way, but that is rather "klunky", in my opinion.
However, if that is the ONLY way to do it, then so be it.  It should be 
documented as such, though.....


On Tue, 13 Nov 2001 11:41:58 +0000, David Starks-Browning wrote:

>On Tuesday 13 Nov 01, Corinna Vinschen writes:
>> LogonUser/CreateProcessAsUser need special user rights.  This rights
>> are not given to user accounts, not even to admins.  Only SYSTEM has
>> that user rights by default.  That's the reason that login only
>> works when started from telnetd or rlogind, started from inetd which
>> itself is running as service under SYSTEM account.
>> 
>> login(1) is not intended for use on the command line under Cygwin.
>> 
>> Shouldn't we create a FAQ for that?
>
>There is already something about why there is no su, but it goes on to
>say (indirectly) that login(1) may be a substitute.  I will amend it to
>include the information you provide above.
>
>(I don't know about this stuff myself, so I can't put it in the FAQ
>until I get concise, pithy emails like this one.  Thanks Corinna!)
>
>Cheers,
>David
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How do I figure out why LogonUserA is failing?

[David Starks-Browning]

On Tuesday 13 Nov 01, Corinna Vinschen writes:
> LogonUser/CreateProcessAsUser need special user rights.  This rights
> are not given to user accounts, not even to admins.  Only SYSTEM has
> that user rights by default.  That's the reason that login only
> works when started from telnetd or rlogind, started from inetd which
> itself is running as service under SYSTEM account.
> 
> login(1) is not intended for use on the command line under Cygwin.
> 
> Shouldn't we create a FAQ for that?

There is already something about why there is no su, but it goes on to
say (indirectly) that login(1) may be a substitute.  I will amend it to
include the information you provide above.

(I don't know about this stuff myself, so I can't put it in the FAQ
until I get concise, pithy emails like this one.  Thanks Corinna!)

Cheers,
David


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

How do I figure out why LogonUserA is failing?

[Mark Paulus]

Hi,

I've tried various permutations of things in /etc/passwd in order
to make login work, and I can't seem to get the correct things worked.

My machine is running Win2K/SP2, connected to a domain, and 
roaming profiles are enabled.  I have tried doing a mkpasswd -l
and then doing a login <myUserid> with my normal windows password,
and failure.
I have tried doing a mkpasswd -d and then doing a login <myUserid>
with my normal windows passwd, and failure.

Where/what is the silver bullet to getting this login stuff to work.
I ultimately want to be able to define root as a user, and be able to 
login to that account for some work, but I can't seem to get any
of it working.  I have read the NT security and the ntsec usage
guide, and I think I comprehend most of what's in there, but I
can't figure out this one....

Any pointers would be appreciated....

Thanks.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

How do I figure out why LogonUserA is failing?

[Mark Paulus]

Hi,

I've tried various permutations of things in /etc/passwd in order
to make login work, and I can't seem to get the correct things worked.

My machine is running Win2K/SP2, connected to a domain, and 
roaming profiles are enabled.  I have tried doing a mkpasswd -l
and then doing a login <myUserid> with my normal windows password,
and failure.
I have tried doing a mkpasswd -d and then doing a login <myUserid>
with my normal windows passwd, and failure.

Where/what is the silver bullet to getting this login stuff to work.
I ultimately want to be able to define root as a user, and be able to 
login to that account for some work, but I can't seem to get any
of it working.  I have read the NT security and the ntsec usage
guide, and I think I comprehend most of what's in there, but I
can't figure out this one....

Any pointers would be appreciated....

Thanks.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/