This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

ssh session w/reduced credentials;whoami shows OurSrvr064\sshd_server

From: cygwin at trodman dot com (Tom Rodman)
To: cygwin at cygwin dot com
Date: Tue, 31 Jan 2006 10:32:01 -0600
Subject: ssh session w/reduced credentials;whoami shows OurSrvr064\sshd_server
Reply-to: cygwin at cygwin dot com

Last week I loaded cygwin 1.5.19 on a new Windows 2003 Server 
(Standard Edition; service pack 1).  

When I ssh'd to this host, I had insuffient rights to "cd"
to a network share. I was able to fix this, using Pierre A. Humblet's
approach, by running the 'id -G' command at the console, and then adding
my username to the "userlist" [4th field] in /etc/group for each group
listed by 'id -G'.

  see: http://cygwin.com/ml/cygwin/2005-07/msg01287.html

After the fix: in ssh, you could cd to the network share, and write to
directories as expected. This fix worked fine, until..:

-- The Problem --

On Monday several compilers were loaded on this host (OurSrvr064);
because of this, 4 new local groups were created. So, I updated
/etc/group, by running 'mkgroup -ld', and subsequently re-doing
Pierre's approach- adding the username ("staffuser2", a domain user) into
the "userlist" [4th field] in /etc/group for each group listed by 'id -G'.
Unfortunately this failed. Also, the ssh session showed one
*additional* local group (gid 1008) for user staffuser2; additional w/r to
the (non ssh session) Terminal Services bash session 'id -G' output.
Also notable, was that whoami shown: "OurSrvr064\sshd_server", instead of
"staffuser2".

Please help me fix this again.

overview of problem, and attempt to fix: {

  $ cygcheck -s  |egrep '^Runni'
  Running in Terminal Service session
  $ uname -a
  CYGWIN_NT-5.2 OurSrvr064 1.5.19(0.150/4/2) 2006-01-20 13:28 i686 Cygwin
  $ mkgroup -ld > /etc/group ;( mkpasswd -l; mkpasswd -d -u $(id -un) ) >/etc/passwd
  $ grep $(id -un) /etc/passwd
  staffuser2:unused_by_nt/2000/xp:15776:10513:staffuser2 tcm,U-DOMxx1\staffuser2,S-1-5-21-1390067357-1202660629-682003330-5776:/home/staffuser2:/bin/bash
  $ 
  --snip (exited and restarted bash in same Terminal Service session)
  $ : we will be using Pierre's group listing program, that I named "_mygroups"
  $ : to see the code, search ahead for "_mygroups.c"
  $ : next I cat a script that will (eventually) show the problem
  $ : ("OurServer108" below is a remote host)
  $ cat /cygdrive/c/adm/ssh_test_my_rights00 
  #!/bin/bash -x

  cd //OurServer108/tcm 
  id -G
  id
  :
  whoami

  /cygdrive/c/adm/_mygroups |grep 'use: 2'
  :
  /cygdrive/c/adm/_mygroups 

  $ : next, will run test script, it works just fine in a Terminal Service session:
  $ /cygdrive/c/adm/ssh_test_my_rights00
  + cd //OurServer108/tcm
  + id -G
  10513 544 545 1010 19858 19968 16025 16027 16024
  + id
  uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users)
  + :
  + whoami
  staffuser2
  + /cygdrive/c/adm/_mygroups
  + grep 'use: 2'
  0: Domain Users, DOMxx1, use: 2 attribs: 7
  11: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7
  12: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7
  13: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7
  14: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7
  15: XYZ_Users, DOMxx1, use: 2 attribs: 7
  + :
  + /cygdrive/c/adm/_mygroups
  0: Domain Users, DOMxx1, use: 2 attribs: 7
  1: Everyone, , use: 5 attribs: 7
  2: Debugger Users, OurSrvr064, use: 4 attribs: 7
  3: Administrators, BUILTIN, use: 4 attribs: f
  4: Users, BUILTIN, use: 4 attribs: 7
  5: REMOTE INTERACTIVE LOGON, NT AUTHORITY, use: 5 attribs: 7
  6: INTERACTIVE, NT AUTHORITY, use: 5 attribs: 7
  7: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7
  8: This Organization, NT AUTHORITY, use: 5 attribs: 7
  9: 5 0 4217733 attribs: c0000007
  10: LOCAL, , use: 5 attribs: 7
  11: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7
  12: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7
  13: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7
  14: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7
  15: XYZ_Users, DOMxx1, use: 2 attribs: 7
  16: ABC_NA-DL-CTX-Notepad Users-A, DOMxx1, use: 4 attribs: 20000007
  17: CERTSVC_DCOM_ACCESS, DOMxx1, use: 4 attribs: 20000007
  18: RILOE_SCM, DOMxx1, use: 4 attribs: 20000007
  $ 
  $ : so far so good, now try test in ssh, notice the 'cd' fails, notice 'whoami' and 'id -G' output
  $ ssh localhost /cygdrive/c/adm/ssh_test_my_rights00 
  staffuser2@localhost's password: 
  + cd //OurServer108/tcm
  /cygdrive/c/adm/ssh_test_my_rights00: line 3: cd: //OurServer108/tcm: Permission denied
  + id -G
  10513 544 545 1010 1008
  + id
  uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),1008(OWS_2416084231_admin),10513(Domain Users)
  + :
  + whoami
  OurSrvr064\sshd_server
  + /cygdrive/c/adm/_mygroups
  + grep 'use: 2'
  5: Domain Users, DOMxx1, use: 2 attribs: 7
  + :
  + /cygdrive/c/adm/_mygroups
  0: Everyone, , use: 5 attribs: 7
  1: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7
  2: LOCAL, , use: 5 attribs: 7
  3: SERVICE, NT AUTHORITY, use: 5 attribs: 7
  4: 5 0 9916154 attribs: c0000007
  5: Domain Users, DOMxx1, use: 2 attribs: 7
  6: Administrators, BUILTIN, use: 4 attribs: 7
  7: Users, BUILTIN, use: 4 attribs: 7
  8: Debugger Users, OurSrvr064, use: 4 attribs: 7
  9: OWS_2416084231_admin, OurSrvr064, use: 4 attribs: 7
  $ 
  --snip 
  $ : (edited /etc/group to add "staffuser2" to userlists [4th field] for groups that staffuser2 is in )
  $ grep staffuser2 group
  Administrators:S-1-5-32-544:544:staffuser2
  Users:S-1-5-32-545:545:staffuser2
  Debugger Users:S-1-5-21-1766903932-4289487963-3289224668-1010:1010:staffuser2
  ABC_NA-CTX-Notepad-A:S-1-5-21-1390067357-1202660629-682003330-9858:19858:staffuser2
  ABC_NA-DOMxx0-tcm-Users-A:S-1-5-21-1390067357-1202660629-682003330-9968:19968:staffuser2
  Domain Users:S-1-5-21-1390067357-1202660629-682003330-513:10513:staffuser2
  XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2
  XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2
  XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2
  $ : Notice that next test fails again even though groups for staffuser2 more than match,
  $ : the groups staffuser2 is in within a Term Service session (1008 is the extra local group).
  $ ssh localhost /cygdrive/c/adm/ssh_test_my_rights00 
  staffuser2@localhost's password: 
  + cd //OurServer108/tcm
  /cygdrive/c/adm/ssh_test_my_rights00: line 3: cd: //OurServer108/tcm: Permission denied
  + id -G
  10513 544 545 1010 1008 19858 19968 16025 16027 16024
  + id
  uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),1008(OWS_2416084231_admin),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users)
  + :
  + whoami
  OurSrvr064\sshd_server
  + /cygdrive/c/adm/_mygroups
  + grep 'use: 2'
  8: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7
  9: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7
  10: Domain Users, DOMxx1, use: 2 attribs: 7
  11: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7
  12: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7
  13: XYZ_Users, DOMxx1, use: 2 attribs: 7
  + :
  + /cygdrive/c/adm/_mygroups
  0: Everyone, , use: 5 attribs: 7
  1: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7
  2: LOCAL, , use: 5 attribs: 7
  3: SERVICE, NT AUTHORITY, use: 5 attribs: 7
  4: 5 0 9916154 attribs: c0000007
  5: Administrators, BUILTIN, use: 4 attribs: 7
  6: Users, BUILTIN, use: 4 attribs: 7
  7: Debugger Users, OurSrvr064, use: 4 attribs: 7
  8: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7
  9: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7
  10: Domain Users, DOMxx1, use: 2 attribs: 7
  11: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7
  12: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7
  13: XYZ_Users, DOMxx1, use: 2 attribs: 7
  14: OWS_2416084231_admin, OurSrvr064, use: 4 attribs: 7
  $ :
  $ grep :1008: /etc/group
  OWS_2416084231_admin:S-1-5-21-1766903932-4289487963-3289224668-1008:1008:

end overview of problem, and attempt to fix
}

-- The new local groups, and their members; these groups were added on Monday -- {

  C:\>net localgroup IIS_WPG
  Alias name     IIS_WPG
  Comment        IIS Worker Process Group

  Members

  -------------------------------------------------------------------------------
  IWAM_OurSrvr064
  NT AUTHORITY\NETWORK SERVICE
  NT AUTHORITY\SERVICE
  NT AUTHORITY\SYSTEM
  The command completed successfully.


  C:\>net localgroup OWS_2416084231_admin
  Alias name     OWS_2416084231_admin
  Comment        Microsoft SharePoint role 'admin' for web 'http://OurSrvr064'

  Members

  -------------------------------------------------------------------------------
  Administrators
  The command completed successfully.


  C:\>net localgroup "Debugger Users"
  Alias name     Debugger Users
  Comment        Debugger Users are non administrators who are allowed to use Visual Studio to debug processes, both locally and remotely. Only trusted users should be added to this group

  Members

  -------------------------------------------------------------------------------
  DOMxx1\staffuser2
  IWAM_OurSrvr064
  NT AUTHORITY\SYSTEM
  The command completed successfully.


  C:\>net localgroup "VS Developers"
  Alias name     VS Developers
  Comment        Visual Studio developers can author web sites on this computer

  Members

  -------------------------------------------------------------------------------
  The command completed successfully.

end  The new local groups added today
}

-- background  --

This host is in a large Active Directory Domain, with thousands of
users; our /etc/group file has over 2500 lines.  Our AD domain and forest has
mixture of global, and domain local groups.  This host is used
as a software 'build engine', ie windows software is compiled there.

--
thanks,
Tom Rodman

--

Attachment: cygcheck.out
Description: cygcheck -s -v -r

--
Pierre's group listing program {

  $ ls -l /cygdrive/c/adm/_mygroups.*
  -rw-r--r-- 1 staffuser2 XYZ_ES_STAFF  1030 Jan 31 06:54 /cygdrive/c/adm/_mygroups.c
  -rwxrwxr-x 1 staffuser2 XYZ_ES_STAFF 12510 Jan 31 06:53 /cygdrive/c/adm/_mygroups.exe*
  $ cat /cygdrive/c/adm/_mygroups.c  #we'll be using Pierre's group listing program..
  #include <windows.h>
  #include <stdio.h>

  main()
  {
    HANDLE token;
    char buffer[1000];
    DWORD size;
    PTOKEN_GROUPS ptr = (PTOKEN_GROUPS) buffer;

    if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)
        && GetTokenInformation(token, TokenGroups, buffer, sizeof(buffer), &size))
      {
        int i;
        for (i = 0; i < ptr->GroupCount; i++)
          {
           SID_NAME_USE use;
           char name[100], domain[100];
           DWORD namelen = sizeof(name), domlen = sizeof(domain);

           printf("%d: ", i);
           if (LookupAccountSid(NULL, ptr->Groups[i].Sid, name, &namelen, domain, &domlen, & use))
             printf("%s, %s, use: %x ", name, domain, use);
           else
             {
               int j;
               for (j = 0; j < *GetSidSubAuthorityCount(ptr->Groups[i].Sid); j++)
                 printf("%lu ", *GetSidSubAuthority(ptr->Groups[i].Sid, j));
             }
           printf("attribs: %0x\n", ptr->Groups[i].Attributes);
          }
      }
    else printf("Windows error %lu\n", GetLastError());
  }

end Pierre's group listing program
}

--
Monday morning everything was fine.  Later that day this software 
was loaded on OurSrvr064 {

  High-performance Embedded Workshop Updater
  InstallShield X Standalone staffuser2
  J2SE Development Kit 5.0 Update 2
  J2SE Runtime Environment 5.0 Update 2
  Java 2 Runtime Environment Standard Edition v1.3.1_10
  Java 2 Runtime Environment, SE v1.4.1_07
  Java 2 Runtime Environment, SE v1.4.2_10
  Java 2 SDK Standard Edition v1.3.1_10
  Java 2 SDK, SE v1.4.1_07
  Java 2 SDK, SE v1.4.2_10
  Java Web Start
  --snip
  MSXML 4.0 SP2 Parser and SDK
  Microsoft FrontPage Client - English
  Microsoft Learning - Software Updates
  Microsoft Office Professional Edition 2003
  Microsoft SOAP Toolkit 3.0
  Microsoft SQL Server 2000
  Microsoft Visual J# .NET Redistributable Package 1.1
  Microsoft Visual Studio .NET Enterprise Architect 2003 - English
  Microsoft Visual Studio 6.0 Enterprise Edition
  Microsoft Web Publishing Wizard 1.53
  Microsoft Windows CE Platform Manager 4.0
  Microsoft eMbedded Visual C++ 4.0
  MyODBC
  Renesas AutoUpdate Utility
  Visual Studio .NET Enterprise Architect 2003 - English
  Visual Studio.NET Baseline - English
  WinZip
  WinZip Command Line Support Add-On
  WinZip Self-Extractor
  Windows CE .NET Utilities for Visual Studio .NET 2003 v1.1
  eMbedded Visual C++ 4.0 SP2
  eMbedded Visual C++ 4.0 SP4

end loaded on Monday on OurSrvr064
}

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]