public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* sshd/cron seteuid() problem in latest CVS
@ 2002-04-12  8:23 Jason Tishler
  2002-04-15  4:24 ` Corinna Vinschen
  0 siblings, 1 reply; 4+ messages in thread
From: Jason Tishler @ 2002-04-12  8:23 UTC (permalink / raw)
  To: Cygwin

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

Using the latest CVS, I am getting the following Event Log error messages:

    o fatal: setuid 19695: Operation not permitted
    o (CRON) error (can't switch user context)

with sshd and cron, respectively.  After some debugging, I determined
that the following patch is causing the problem:

    http://cygwin.com/ml/cygwin-cvs/2002-q1/msg00218.html

The above patch needs to be reverted or reworked.  See attached for an
strace snippet.

Note that I'm operating in a domain environment.  My WAG is that this
problem may not be apparent in a workgroup environment.

Thanks,
Jason

[-- Attachment #2: seteuid.err --]
[-- Type: text/plain, Size: 1350 bytes --]

 1602 25198850 [main] sshd 836 seteuid: myself->gid: 513, gr: 268637752
 2300 25201150 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeCreateTokenPrivilege, 1)
5127879 30329029 [main] sshd 836 get_user_groups: 123 = NetUserGetGroups ()
  979 30330008 [main] sshd 836 set_process_privilege: 1 = set_process_privilege (SeCreateTokenPrivilege, 0)
  522 30330530 [main] sshd 836 create_token: -1 = create_token ()
  206 30330736 [main] sshd 836 seteuid: create token failed, try subauthentication.
 1212 30331948 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeTcbPrivilege, 1)
60911 30392859 [main] sshd 836 extract_nt_dom_user: pw_gecos = 1003198A (U-TISHLERJASON\Administrator,S-1-5-21-1571110079-60108220-2047483585-500)
 4446 30397305 [main] sshd 836 subauth: LsaLogonUser: -1073741702
 1663 30398968 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeTcbPrivilege, 0)
 1127 30400095 [main] sshd 836 internal_getlogin: GetUserName() = SYSTEM
 1271 30401366 [main] sshd 836 internal_getlogin: Domain: (null), Logon Server: \\PALO-ALTO-PDC, Windows Username: SYSTEM
225771 30627137 [main] sshd 836 internal_getlogin: Cygwins Username: SYSTEM
  177 30627314 [main] sshd 836 seteuid: Diffs!!! token: -1, cur: 18, new: 500, orig: 18
  439 30627753 [main] sshd 836 setuid: real: 18, effective: 18


[-- Attachment #3: Type: text/plain, Size: 214 bytes --]

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: sshd/cron seteuid() problem in latest CVS
  2002-04-12  8:23 sshd/cron seteuid() problem in latest CVS Jason Tishler
@ 2002-04-15  4:24 ` Corinna Vinschen
  2002-04-17  8:25   ` Jason Tishler
  0 siblings, 1 reply; 4+ messages in thread
From: Corinna Vinschen @ 2002-04-15  4:24 UTC (permalink / raw)
  To: Cygwin

On Fri, Apr 12, 2002 at 11:21:32AM -0400, Jason Tishler wrote:
> Using the latest CVS, I am getting the following Event Log error messages:
> 
>     o fatal: setuid 19695: Operation not permitted
>     o (CRON) error (can't switch user context)
> 
> with sshd and cron, respectively.  After some debugging, I determined
> that the following patch is causing the problem:
> 
>     http://cygwin.com/ml/cygwin-cvs/2002-q1/msg00218.html
> 
> The above patch needs to be reverted or reworked.  See attached for an
> strace snippet.
> 
> Note that I'm operating in a domain environment.  My WAG is that this
> problem may not be apparent in a workgroup environment.

This isn't clear to me.  The patch only changes the way, the PDC
is elicited.  I don't see any connection especially with the below
strace snippet.

Corinna


> 
> Thanks,
> Jason

>  1602 25198850 [main] sshd 836 seteuid: myself->gid: 513, gr: 268637752
>  2300 25201150 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeCreateTokenPrivilege, 1)
> 5127879 30329029 [main] sshd 836 get_user_groups: 123 = NetUserGetGroups ()
>   979 30330008 [main] sshd 836 set_process_privilege: 1 = set_process_privilege (SeCreateTokenPrivilege, 0)
>   522 30330530 [main] sshd 836 create_token: -1 = create_token ()
>   206 30330736 [main] sshd 836 seteuid: create token failed, try subauthentication.
>  1212 30331948 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeTcbPrivilege, 1)
> 60911 30392859 [main] sshd 836 extract_nt_dom_user: pw_gecos = 1003198A (U-TISHLERJASON\Administrator,S-1-5-21-1571110079-60108220-2047483585-500)
>  4446 30397305 [main] sshd 836 subauth: LsaLogonUser: -1073741702
>  1663 30398968 [main] sshd 836 set_process_privilege: 0 = set_process_privilege (SeTcbPrivilege, 0)
>  1127 30400095 [main] sshd 836 internal_getlogin: GetUserName() = SYSTEM
>  1271 30401366 [main] sshd 836 internal_getlogin: Domain: (null), Logon Server: \\PALO-ALTO-PDC, Windows Username: SYSTEM
> 225771 30627137 [main] sshd 836 internal_getlogin: Cygwins Username: SYSTEM
>   177 30627314 [main] sshd 836 seteuid: Diffs!!! token: -1, cur: 18, new: 500, orig: 18
>   439 30627753 [main] sshd 836 setuid: real: 18, effective: 18
> 

> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: sshd/cron seteuid() problem in latest CVS
  2002-04-15  4:24 ` Corinna Vinschen
@ 2002-04-17  8:25   ` Jason Tishler
  2002-04-18  1:55     ` Corinna Vinschen
  0 siblings, 1 reply; 4+ messages in thread
From: Jason Tishler @ 2002-04-17  8:25 UTC (permalink / raw)
  To: cygwin

[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]

Corinna,

On Mon, Apr 15, 2002 at 01:18:09PM +0200, Corinna Vinschen wrote:
> On Fri, Apr 12, 2002 at 11:21:32AM -0400, Jason Tishler wrote:
> > Using the latest CVS, I am getting the following Event Log error messages:
> > 
> >     o fatal: setuid 19695: Operation not permitted
> >     o (CRON) error (can't switch user context)
> > 
> > with sshd and cron, respectively.  After some debugging, I determined
> > that the following patch is causing the problem:
> > 
> >     http://cygwin.com/ml/cygwin-cvs/2002-q1/msg00218.html
> > 
> > The above patch needs to be reverted or reworked.  See attached for an
> > strace snippet.
> > 
> > Note that I'm operating in a domain environment.  My WAG is that this
> > problem may not be apparent in a workgroup environment.
> 
> This isn't clear to me.  The patch only changes the way, the PDC
> is elicited.

After some more digging, I believe that I have found the root cause to
the above problem.  The new way, via NetGetDCName(), causes two extra
backslashes to be prepended to the PDC name as demonstrated by the
attached test program:

    NetServerEnum PDC = PALO-ALTO-PDC
    NetGetDCName PDC = \\PALO-ALTO-PDC

This causes the NetUserGetGroups() call in get_user_groups() to SEGV
(at least under gdb) and hence, ultimately create_token() fails.

My WAG regarding domain vs. workgroup was correct because the workgroup
path through this code does not cause extra backslashes to be prepended.

I will submit a patch to cygwin-patches to correct this problem.

Thanks,
Jason

[-- Attachment #2: net.cc --]
[-- Type: text/plain, Size: 524 bytes --]

#include <stdio.h>
#include <windows.h>
#include <lm.h>

int
main()
{
	LPSERVER_INFO_101 buf;
	DWORD count, total;
	NET_API_STATUS status = NetServerEnum(
			NULL,
			101,
			(LPBYTE*) &buf,
			MAX_PREFERRED_LENGTH,
			&count,
			&total,
			SV_TYPE_DOMAIN_CTRL,
			NULL,
			NULL);
	if (status == NERR_Success)
		printf("NetServerEnum PDC = %ls\n", buf[0].sv101_name);

	WCHAR* buf2;
	status = NetGetDCName(NULL, NULL, (LPBYTE*) &buf2);
	if (status == NERR_Success)
		printf("NetGetDCName PDC = %ls\n", buf2);

	return 0;
}


[-- Attachment #3: Type: text/plain, Size: 214 bytes --]

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: sshd/cron seteuid() problem in latest CVS
  2002-04-17  8:25   ` Jason Tishler
@ 2002-04-18  1:55     ` Corinna Vinschen
  0 siblings, 0 replies; 4+ messages in thread
From: Corinna Vinschen @ 2002-04-18  1:55 UTC (permalink / raw)
  To: cygwin

On Wed, Apr 17, 2002 at 11:25:53AM -0400, Jason Tishler wrote:
> After some more digging, I believe that I have found the root cause to
> the above problem.  The new way, via NetGetDCName(), causes two extra
> backslashes to be prepended to the PDC name as demonstrated by the
> attached test program:
> 
>     NetServerEnum PDC = PALO-ALTO-PDC
>     NetGetDCName PDC = \\PALO-ALTO-PDC
> 
> This causes the NetUserGetGroups() call in get_user_groups() to SEGV
> (at least under gdb) and hence, ultimately create_token() fails.

Ok, that explains it.

> My WAG regarding domain vs. workgroup was correct because the workgroup
> path through this code does not cause extra backslashes to be prepended.
> 
> I will submit a patch to cygwin-patches to correct this problem.

Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2002-04-18  8:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-04-12  8:23 sshd/cron seteuid() problem in latest CVS Jason Tishler
2002-04-15  4:24 ` Corinna Vinschen
2002-04-17  8:25   ` Jason Tishler
2002-04-18  1:55     ` Corinna Vinschen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).