| breiter -> Beware: applying any security templates will break SUA (Mar. 9, '06, 9:30:53 PM) |
Discovered an unfortunate interaction between security configuration templates and SUA todat while working with a MS SUA support tech to figure out why setuid binaries won't run in SUA (separate thread).
The gist is that my Win2k3 R2 is installed on my day-to-day computer and configured with a derivative of the hisecws.inf (high-security workstation) security configuration template. The thought was that somehow this was causing setuid to not work in SUA/Interix 5.2, even though it had never been an issue in Interix 3.0 and 3.5.
Eventually, clutching at straws, I agreed to apply the "setup security" template which restores factory default settings to everything, including applying cascading permissions to the %SYSTEMROOT% directory.
With unfortunate lack of foresight, the SUA team decided to move the SUA directory from C:\SFU (or optionally anywhere) to %WINDIR%\SUA (with no option to put it somewhere else), which means that applying a security template mangles SUA by removing the specific UNIX permissions and replacing it with with the rest of the WINDOWS directory has. This makes SUA very broken.
Your options are then to repair/reinstall or reset all of the UNIX permissions manually--assuming you know what they are supposed to be. If you have binaries from the /Tools warehouse, you are in deeper trouble because the repair process will either not fix their permissions or clobber them with Microsoft's distributions of the files.
I went through this twice today. Once for applying the "setup security" template and again when restoring my hisec template.
Caveat emptor. You should configure security templates *before* installing SUA. |
|
|
|