All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
RE: passwordless ssh - plot thickens...
|
Logged in as: Guest |
Users viewing this topic: none |
|
Login |
|
|
RE: passwordless ssh - plot thickens... - Mar. 11, '04, 11:42:20 AM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
1) Have you submitted your concerns to Microsoft ?
You seem to have several, but you don't clearly describe any of them.
2) "SFU" is just a product name representing several different components, some of which are completely independent of each other. Components such as NFS server, NFS client, Interix, NIS server, password synch, .... So talking about the behaviour of SFU doesn't make sense unless perhaps you are refering to the installation process.
So I'll assume your concerns are with Interix.
3) group ownership and permissions on files must be properly set up by the user. And each application has it's own security checks. I don't see how a user setting the perms incorrectly are a problem of Interix. The same problem exists on any UNIX system.
4) SE_BACKUP and SE_RESTORE are just symbolic names refering to the corresponding privilege. The docs aren't talking about the actual string name or programatic constant that you would use if working with NT apis.
It is only at the programmatic level that the string/constant names are case sensitive. And the reference to SE_BACKUP is probably a shortened reference to the SE_BACKUP_NAME C-language privilege constant used in some NT apis.
5) A local /etc/password file wouldn't work. a) NT doesn't have any equivalent that Interix could easily point to, b) this account information is already in the NT security registry database so why replicate it ? And if it could be replicated, how to keep it in sync ? c) NT has Windows Domains - each of these domains might require a separate /etc/passwd file.
6) The problem with the user's home directory is that a lot of users/admins do not set it in the security database. They rely on the Windows defaults. But each version of Windows had a different default and there was no obvious Windows/NT api to obtain this default value.
This is a good suggestion in that the Interix value of HOME should be more consistent with what Windows does.
7) password sync, nfs, nis are separate components. Not related to Interix. I don't understand what you think the problem is.
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 15, '04, 12:04:40 PM
|
|
|
eyebear
Posts: 8
Joined: Jan. 22, '04,
From: Germany
Status: offline
|
Hello Rodney & Mark,
it seems, its not so easy as I thought.
In reply to Rodney:
quote:
...
Placing a hosts file will do absolutely nothing. Groups same.
All of the user information is stored in the user database which is
under the control of the LSASS (another subsystem) on each machine.
...
/etc/hosts does nothing? It's linked to '%Systemroot%\system32\drivers\etc\hosts'.
In the "windows" area of this machine its my help to get an name resolution working, before the internal process of changing anything in the production area is working. It normally lasts 1-2 days to get such a change on a dns server in the production until it is done.
The next question is the LSASS/permission problems. Our Admins have special accounts which enable them to logon locally to a NT or W2K server. As a normal admin, you are allowed to read, but not to execute or write anything, except to those areas on the file system were you get these rights granted. F.e. a oracle dba may 'rwx' in the oracle part of the filesystem, but when he wants to restart not only the database but the whole oracle processes, he's relying on the network operation center, which will do this job for him.
A 'su' or 'sudo' would be helpfull in these circumstances, and thats the point were we wanted to get SfU working. In the Unix area this is no real problem, but on NT/W2K (here), you are stuck to those rights, which do not allow to alter the user information.
In reply to Mark:
1) Should I?
2 & 7) They are separate components? And not related to Interix? Thats why I get such problems in understanding what which component is doing... I thought that SfU is made "of a piece", but....
3,4,5 & 6) I thought of a 'passwd' file like a hint, where to point to. F.e.: The account 'Administrator' is created in the group 'guests' here, the real admin account has a different name. Admin accounts also have no "HOME". Users do. So Admin accounts do not suffer from replicating a profile around the enterprise. They are always local.
So: why not using "wheel" as a local group? The difference between a user account in a NT-domain or in an AD and a local administrative account could be switched.
My imagination of /home/$USER is, that it is linked to /home/$USERPROFILE, so that a 'cd ~' brings you back home. And only those get a SfU/home, who are members of a special group, maybe 'wheel'. I think, it would be a nice and usefull feature, to get asked during install, if there is a special group or if it's appropriate to create one.
Thank you
andreas
|
|
|
RE: passwordless ssh - plot thickens... - Mar. 15, '04, 12:55:57 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
Sorry, I didn't mean "hosts" I meant "/etc/passwd".
I must of been staring at the word when I typed or something.
Having a /etc/passwd file won't do anything since the data is kept and looked for elsewhere.
quote:
A 'su' or 'sudo' would be helpfull in these circumstances, and thats the point were we wanted to get SfU working. In the Unix area this is no real problem, but on NT/W2K (here), you are stuck to those rights, which do not allow to alter the user information.
Interix does come with su. You can install sudo as a package from the /Tools ftp site. The caveat is that you need setuid active. I'll just assume for now you have it active. To properly set up the file content, so that it remains secure and sudo sees that it's secure, is to do it as Administrator. After that the granularity is as on Unix.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
|
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|