Issue with su (setuid) on Vista 5600 (Full Version)

All Forums >> [SFU / Interix / SUA Technology] >> Windows Server 2003 R2 SUA


jmadler -> Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 4:39:00 AM)

I installed SUA on Vista RC1 (Build 5600), with all options enabled (all items, setuid, and case-sensitive fs). However, I encountered the following issue when attempting to su to Adminstrator to install a package:

% who
jmadler               ttyn00       Sep 25 04:33
% whoami
% su -
su: setuser: Operation not permitted
% su Adminstrator
su: unknown login Adminstrator
% su root
su: unknown login root

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 12:50:02 PM)

Refer to the instructions (item #2) at:
for getting the Administrator account active.

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 5:47:59 PM)

No, I think this is the same problem I had last week. I reinstalled Vista RC1, added the Admin account, added the SUA service, installed the SDK with setuid and case sens, but it still reports the same problem...

Must be Vista's fault, not SUA related I guess.

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 6:16:09 PM)

It'd be a good thing to check the actual registry entry to be sure something
hasn't removed or inverted the setting(s).

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 6:21:46 PM)

Checked already: EnableSetuidBinaries {REG_DWORD} = 0x00000001 (1)

jmadler -> RE: Issue with su (setuid) on Vista 5600 (Sep. 25, '06, 7:48:46 PM)

Same. Enabled the admin account and enabled that registry key, and still no go.

Rodney -> RE: Issue with su (setuid) on Vista 5600 (Sep. 26, '06, 1:37:07 AM)

Let's get another couple of bits of information then...

For the user that's doing the su what is the output from "id -D"?

If you do a trace on the run, "truss su -, what is the output?

geprieto -> RE: Issue with su (setuid) on Vista 5600 (Sep. 26, '06, 12:47:43 PM)

Ok, here it is:

Welcome to the SUA utilities.

% id -D
uid=197608(almejin+geprieto) gid=197121(almejin+None_ploc) groups=197121(almejin
+None_ploc), 65792(+Everyone), 131617(BUILTIN+Users), 66820(NT AUTHORITY+INTERAC
TIVE), 66827(NT AUTHORITY+Authenticated Users), 66831(NT AUTHORITY+This Organiza
tion), 4095(CurrentSession), 66048(+LOCAL), 262154(NT AUTHORITY+NTLM Authenticat
ion), 401408(Mandatory Label+Medium Mandatory Level)
% truss su -
tracing pid 323
getdata() getdata returned 0
getrlimit(1, ) getrlimit returned 0
pthread_inform_signals() pthread_inform_signals returned 0
prio() prio returned 0
prio() prio failed: errno 1, Operation not permitted

getids() getids returned 0
getids() getids returned 0
getpwuid(0x303E8) getpwuid returned 0
getpwnam(almejin\geprieto) getpwnam returned 0
getpwuid(0x301F4) getpwuid returned 0
getids() getids returned 0
open("/dev/tty", 0x303, 0666) open returned 3
sigprocmask(1, 0x82fad0, 0x0) sigprocmask returned 0
tcgetattr(3, ) tcgetattr returned 0
tcsetattr(3, 3, ) tcsetattr returned 0
fstat(3, 0x1580610) fstat ret: 0 dev: 0x40000000000043 ino: 0x00017a7d
isatty(3) isatty returned 0
isatty(3) isatty returned 0
write(3, 0x994268, 9) Password:write returned 9
lseek(3, 0, 0) lseek returned 0
read(3, 0x994268, 4096)

spahlinger -> RE: Issue with su (setuid) on Vista 5600 (Sep. 27, '06, 5:20:31 AM)

Be sure to spell the account correctly: "Administrator", not "Adminstrator", as you did.

shan.ks -> RE: Issue with su (setuid) on Vista 5600 (Sep. 28, '06, 9:35:20 AM)

Below is an excerpt from Vista SUA help file 'What's New in Subsystem for UNIX-based Application'. This was done inline with some of the security changes in Vista. An option to change this registry key during SDk setup will be added to RTM version of SDK so that this is more discoverable.


EnableSuToRoot registry key
User Account Control is enabled by default. When User Account Control is enabled, any application or task that impersonates another user who is a member of the Administrators group (by using the su, cron, or login utilities, setuid, any of the setuid or exec_asuser family of calls, as examples) always runs in the security context of a standard user account.

With default settings, an application cannot impersonate the root user. You can control this behavior by modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA\EnableSuToRoot.

How to modify the EnableSuToRoot registry key
Perform the following steps to change the setting of the EnableSuToRoot registry key after you install Subsystem for UNIX-based Applications.

To change the setting of the EnableSuToRoot registry key

Click Start, click in the Start Search text box, and type regedit to open Registry Editor.

In the hierarchy pane, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA.

In the results pane, double-click EnableSuToRoot.

In the Value data box, enter 0 to disallow impersonation of the root user, or 1 to allow it.

The default setting is 0.

Click OK.

Close Registry Editor; if prompted, save your changes.

When the value of this key is set to 0 (the default setting), impersonation of the root user is disallowed. When the value is set to 1, impersonation of the root user is allowed. When an application impersonates the root user or Administrator account, the application has the administrative security context of the root (Administrator) user.


Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI