This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

OT observation: displaying share perms while in an ssh session


Thought this was interesting. My theory: if your in a cygwin
*password* *authenticated* ssh session, and you try to get a reporting
of the permissions for a network share, that the report will fail,
unless SYSTEM has read rights on the share.

Both examples below were invoked on the same host ( OurSrvr063 )
as a user in the administrators group.
Sorry.. my examples are using a third party tool called setacl:

    $ cygcheck -f /usr/bin/ssh
    openssh-4.3p2-3
    $ uname -a
    CYGWIN_NT-5.2 OurSrvr063 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin

  failing example:

    $ setacl -on '\\c7mdc063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
    Info: Privilege 'Back up files and directories' could not be enabled. This can probably be ignored.
    Info: Privilege 'Restore files and directories' could not be enabled. This can probably be ignored.
    ERROR reading SD from <\\c7mdc063\d_drive>: The object has a NULL security descriptor
    --snip

  working example (share same except that "SYSTEM read" was added):

    $ setacl -on '\\OurSrvr063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
    \\OurSrvr063\d_drive

       Owner: BUILTIN\Administrators

       Group: DOMxx1\Domain Users

       DACL(not_protected):
       BUILTIN\Administrators   full   allow   no_inheritance
    --snip
       DOMxx1\devbuild   read   allow   no_inheritance
       OurSrvr063\Informix-Admin   full   allow   no_inheritance
       S-1-5-21-1177238915-1979792683-1801674531-2119   read   allow   no_inheritance
       DOMxx1\XYZ_ES_STAFF   read   allow   no_inheritance
       DOMxx1\sehandof   read   allow   no_inheritance
       NT AUTHORITY\SYSTEM   read   allow   no_inheritance
    --snip

BTW window's "whoami" displays the username of the account that goes
with the password that was entered to start the ssh session;
remember that the ssh sessions above are *password* *authenticated*.

So for those shares I define, I plan to add "SYSTEM read".  I just tried
displaying the share perms in an ssh session on a windows 2000 box and
it worked fine w/o the 'SYSTEM read' allow ace, so (at least for us)
this appears to be specific to windows 2003 (server).

Admittedly this is barely worth posting, and I'm not expecting any
response.

--
thanks,
Tom


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]