This is the mail archive of the
cygwin
mailing list for the Cygwin project.
OT observation: displaying share perms while in an ssh session
- From: cygzx at trodman dot com (Tom Rodman)
- To: cygwin at cygwin dot com
- Date: Wed, 20 Dec 2006 15:49:41 -0600
- Subject: OT observation: displaying share perms while in an ssh session
- Reply-to: cygwin at cygwin dot com
Thought this was interesting. My theory: if your in a cygwin
*password* *authenticated* ssh session, and you try to get a reporting
of the permissions for a network share, that the report will fail,
unless SYSTEM has read rights on the share.
Both examples below were invoked on the same host ( OurSrvr063 )
as a user in the administrators group.
Sorry.. my examples are using a third party tool called setacl:
$ cygcheck -f /usr/bin/ssh
openssh-4.3p2-3
$ uname -a
CYGWIN_NT-5.2 OurSrvr063 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
failing example:
$ setacl -on '\\c7mdc063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
Info: Privilege 'Back up files and directories' could not be enabled. This can probably be ignored.
Info: Privilege 'Restore files and directories' could not be enabled. This can probably be ignored.
ERROR reading SD from <\\c7mdc063\d_drive>: The object has a NULL security descriptor
--snip
working example (share same except that "SYSTEM read" was added):
$ setacl -on '\\OurSrvr063\d_drive' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
\\OurSrvr063\d_drive
Owner: BUILTIN\Administrators
Group: DOMxx1\Domain Users
DACL(not_protected):
BUILTIN\Administrators full allow no_inheritance
--snip
DOMxx1\devbuild read allow no_inheritance
OurSrvr063\Informix-Admin full allow no_inheritance
S-1-5-21-1177238915-1979792683-1801674531-2119 read allow no_inheritance
DOMxx1\XYZ_ES_STAFF read allow no_inheritance
DOMxx1\sehandof read allow no_inheritance
NT AUTHORITY\SYSTEM read allow no_inheritance
--snip
BTW window's "whoami" displays the username of the account that goes
with the password that was entered to start the ssh session;
remember that the ssh sessions above are *password* *authenticated*.
So for those shares I define, I plan to add "SYSTEM read". I just tried
displaying the share perms in an ssh session on a windows 2000 box and
it worked fine w/o the 'SYSTEM read' allow ace, so (at least for us)
this appears to be specific to windows 2003 (server).
Admittedly this is barely worth posting, and I'm not expecting any
response.
--
thanks,
Tom
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/