RE: passwordless ssh - plot thickens...

	Free Downloads, Community Forum, FAQs and Developer Resources

Make /Tools Your Home | Link to us

Today's posts | Posts since last visit | Most Active Topics

All Forums	Register	Login	Search	Subscriptions	My Profile	Inbox
Tool Warehouse	FAQs	Resources	Help	Member List	Address Book	Logout

RE: passwordless ssh - plot thickens...

Logged in as: Guest

Users viewing this topic: none

Printable Version

All Forums >> [SFU / Interix / SUA Technology] >> SFU / Interix - Getting Started >> RE: passwordless ssh - plot thickens...

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: passwordless ssh - plot thickens... - Mar. 11, '04, 9:57:27 AM

Rodney

Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline

What is mentioned in the help file depends at what level you are
interacting with NT (the kernel). Don't confuse Windows with NT.
Yes, there is a tight bond between the two. But one is written
with more sense than the other (you get one guess which

).

Anyway, in the help file SE_BACKUP is mentioned (in caps) because
that's what it is down at the interface level (a macro). When you
are using the Windows GUI it displays it as SeBackupPrivilege.
So, it's not wrong. It's just confusing to people who haven't read
the header files way down there.

Placing a hosts file will do absolutely nothing. Groups same.
All of the user information is stored in the user database which is
under the control of the LSASS (another subsystem) on each machine.

The privileges backup and restore are only needed by a user if you want
them to modify permissions on a file owned by someone else, or to give
ownership of a file/directory to another user. Usually this is just the
"root" account (Administrator) or those in the Administrators group (a
la "wheel").

Perhaps if you could explain in some more detail what you are wanting to
do for user setup someone can give you some pointers of what to do/try.

(in reply to eyebear)

Post #: 21

RE: passwordless ssh - plot thickens... - Mar. 11, '04, 11:42:20 AM

markfunk

Posts: 673
Joined: Mar. 31, '03,
Status: offline

1) Have you submitted your concerns to Microsoft ?
You seem to have several, but you don't clearly describe any of them.

2) "SFU" is just a product name representing several different components, some of which are completely independent of each other. Components such as NFS server, NFS client, Interix, NIS server, password synch, .... So talking about the behaviour of SFU doesn't make sense unless perhaps you are refering to the installation process.
So I'll assume your concerns are with Interix.

3) group ownership and permissions on files must be properly set up by the user. And each application has it's own security checks. I don't see how a user setting the perms incorrectly are a problem of Interix. The same problem exists on any UNIX system.

4) SE_BACKUP and SE_RESTORE are just symbolic names refering to the corresponding privilege. The docs aren't talking about the actual string name or programatic constant that you would use if working with NT apis.
It is only at the programmatic level that the string/constant names are case sensitive. And the reference to SE_BACKUP is probably a shortened reference to the SE_BACKUP_NAME C-language privilege constant used in some NT apis.

5) A local /etc/password file wouldn't work. a) NT doesn't have any equivalent that Interix could easily point to, b) this account information is already in the NT security registry database so why replicate it ? And if it could be replicated, how to keep it in sync ? c) NT has Windows Domains - each of these domains might require a separate /etc/passwd file.

6) The problem with the user's home directory is that a lot of users/admins do not set it in the security database. They rely on the Windows defaults. But each version of Windows had a different default and there was no obvious Windows/NT api to obtain this default value.
This is a good suggestion in that the Interix value of HOME should be more consistent with what Windows does.

7) password sync, nfs, nis are separate components. Not related to Interix. I don't understand what you think the problem is.

(in reply to eyebear)

Post #: 22

RE: passwordless ssh - plot thickens... - Mar. 15, '04, 12:04:40 PM

eyebear

Posts: 8
Joined: Jan. 22, '04,
From: Germany
Status: offline

Hello Rodney & Mark,

it seems, its not so easy as I thought.

In reply to Rodney:

quote:

...
Placing a hosts file will do absolutely nothing. Groups same.
All of the user information is stored in the user database which is
under the control of the LSASS (another subsystem) on each machine.
...

/etc/hosts does nothing? It's linked to '%Systemroot%\system32\drivers\etc\hosts'.
In the "windows" area of this machine its my help to get an name resolution working, before the internal process of changing anything in the production area is working. It normally lasts 1-2 days to get such a change on a dns server in the production until it is done.

The next question is the LSASS/permission problems. Our Admins have special accounts which enable them to logon locally to a NT or W2K server. As a normal admin, you are allowed to read, but not to execute or write anything, except to those areas on the file system were you get these rights granted. F.e. a oracle dba may 'rwx' in the oracle part of the filesystem, but when he wants to restart not only the database but the whole oracle processes, he's relying on the network operation center, which will do this job for him.

A 'su' or 'sudo' would be helpfull in these circumstances, and thats the point were we wanted to get SfU working. In the Unix area this is no real problem, but on NT/W2K (here), you are stuck to those rights, which do not allow to alter the user information.

In reply to Mark:

1) Should I?

2 & 7) They are separate components? And not related to Interix? Thats why I get such problems in understanding what which component is doing... I thought that SfU is made "of a piece", but....

3,4,5 & 6) I thought of a 'passwd' file like a hint, where to point to. F.e.: The account 'Administrator' is created in the group 'guests' here, the real admin account has a different name. Admin accounts also have no "HOME". Users do. So Admin accounts do not suffer from replicating a profile around the enterprise. They are always local.

So: why not using "wheel" as a local group? The difference between a user account in a NT-domain or in an AD and a local administrative account could be switched.

My imagination of /home/$USER is, that it is linked to /home/$USERPROFILE, so that a 'cd ~' brings you back home. And only those get a SfU/home, who are members of a special group, maybe 'wheel'. I think, it would be a nice and usefull feature, to get asked during install, if there is a special group or if it's appropriate to create one.

Thank you
andreas

(in reply to markfunk)

Post #: 23

RE: passwordless ssh - plot thickens... - Mar. 15, '04, 12:55:57 PM

Rodney

Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline

Sorry, I didn't mean "hosts" I meant "/etc/passwd".
I must of been staring at the word when I typed or something.
Having a /etc/passwd file won't do anything since the data is kept and looked for elsewhere.

quote:

A 'su' or 'sudo' would be helpfull in these circumstances, and thats the point were we wanted to get SfU working. In the Unix area this is no real problem, but on NT/W2K (here), you are stuck to those rights, which do not allow to alter the user information.

Interix does come with su. You can install sudo as a package from the /Tools ftp site. The caveat is that you need setuid active. I'll just assume for now you have it active. To properly set up the file content, so that it remains secure and sudo sees that it's secure, is to do it as Administrator. After that the granularity is as on Unix.

(in reply to eyebear)