Issue with su (setuid) on Vista 5600

Issue with su (setuid) on Vista 5600 (Full Version)

All Forums >> [SFU / Interix / SUA Technology] >> Windows Server 2003 R2 SUA

Message

jmadler -> Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 4:39:00 AM)
I installed SUA on Vista RC1 (Build 5600), with all options enabled (all items, setuid, and case-sensitive fs). However, I encountered the following issue when attempting to su to Adminstrator to install a package: % who jmadler ttyn00 Sep 25 04:33 % whoami jmadler % su - Password: su: setuser: Operation not permitted Sorry % su Adminstrator su: unknown login Adminstrator % su root su: unknown login root %

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 12:50:02 PM)
Refer to the instructions (item #2) at: http://www.flexbeta.net/main/articles.php?action=show&id=121 for getting the Administrator account active.

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 5:47:59 PM)
No, I think this is the same problem I had last week. I reinstalled Vista RC1, added the Admin account, added the SUA service, installed the SDK with setuid and case sens, but it still reports the same problem... Must be Vista's fault, not SUA related I guess.

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 6:16:09 PM)
It'd be a good thing to check the actual registry entry to be sure something hasn't removed or inverted the setting(s).

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 6:21:46 PM)
Checked already: EnableSetuidBinaries {REG_DWORD} = 0x00000001 (1)

jmadler -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 7:48:46 PM)
Same. Enabled the admin account and enabled that registry key, and still no go.

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 26, '06, 1:37:07 AM)
Let's get another couple of bits of information then... For the user that's doing the su what is the output from "id -D"? If you do a trace on the run, "truss su -, what is the output?

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 26, '06, 12:47:43 PM)
Ok, here it is: Welcome to the SUA utilities. DISPLAY=localhost:0.0 % id -D uid=197608(almejin+geprieto) gid=197121(almejin+None_ploc) groups=197121(almejin +None_ploc), 65792(+Everyone), 131617(BUILTIN+Users), 66820(NT AUTHORITY+INTERAC TIVE), 66827(NT AUTHORITY+Authenticated Users), 66831(NT AUTHORITY+This Organiza tion), 4095(CurrentSession), 66048(+LOCAL), 262154(NT AUTHORITY+NTLM Authenticat ion), 401408(Mandatory Label+Medium Mandatory Level) % truss su - tracing pid 323 getdata() getdata returned 0 getrlimit(1, ) getrlimit returned 0 pthread_inform_signals() pthread_inform_signals returned 0 prio() prio returned 0 prio() prio failed: errno 1, Operation not permitted getids() getids returned 0 getids() getids returned 0 getpwuid(0x303E8) getpwuid returned 0 getpwnam(almejin\geprieto) getpwnam returned 0 getpwuid(0x301F4) getpwuid returned 0 getids() getids returned 0 open("/dev/tty", 0x303, 0666) open returned 3 sigprocmask(1, 0x82fad0, 0x0) sigprocmask returned 0 tcgetattr(3, ) tcgetattr returned 0 tcsetattr(3, 3, ) tcsetattr returned 0 fstat(3, 0x1580610) fstat ret: 0 dev: 0x40000000000043 ino: 0x00017a7d isatty(3) isatty returned 0 isatty(3) isatty returned 0 write(3, 0x994268, 9) Password:write returned 9 lseek(3, 0, 0) lseek returned 0 read(3, 0x994268, 4096)

spahlinger -> RE: Issue with su (setuid) on Vista 5600 (Sep. 27, '06, 5:20:31 AM)
Be sure to spell the account correctly: "Administrator", not "Adminstrator", as you did.

shan.ks -> RE: Issue with su (setuid) on Vista 5600 (Sep. 28, '06, 9:35:20 AM)
Below is an excerpt from Vista SUA help file 'What's New in Subsystem for UNIX-based Application'. This was done inline with some of the security changes in Vista. An option to change this registry key during SDk setup will be added to RTM version of SDK so that this is more discoverable. <snip> EnableSuToRoot registry key User Account Control is enabled by default. When User Account Control is enabled, any application or task that impersonates another user who is a member of the Administrators group (by using the su, cron, or login utilities, setuid, any of the setuid or exec_asuser family of calls, as examples) always runs in the security context of a standard user account. With default settings, an application cannot impersonate the root user. You can control this behavior by modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA\EnableSuToRoot. How to modify the EnableSuToRoot registry key Perform the following steps to change the setting of the EnableSuToRoot registry key after you install Subsystem for UNIX-based Applications. To change the setting of the EnableSuToRoot registry key Click Start, click in the Start Search text box, and type regedit to open Registry Editor. In the hierarchy pane, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA. In the results pane, double-click EnableSuToRoot. In the Value data box, enter 0 to disallow impersonation of the root user, or 1 to allow it. The default setting is 0. Click OK. Close Registry Editor; if prompted, save your changes. When the value of this key is set to 0 (the default setting), impersonation of the root user is disallowed. When the value is set to 1, impersonation of the root user is allowed. When an application impersonates the root user or Administrator account, the application has the administrative security context of the root (Administrator) user. </snip> Shanmugam[MSFT]

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI

0.031