All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
Beware: applying any security templates will break SUA
|
Logged in as: Guest |
Users viewing this topic: none |
|
Login |
|
|
Beware: applying any security templates will break SUA - Mar. 9, '06, 9:30:53 PM
|
|
|
breiter
Posts: 343
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Discovered an unfortunate interaction between security configuration templates and SUA todat while working with a MS SUA support tech to figure out why setuid binaries won't run in SUA (separate thread).
The gist is that my Win2k3 R2 is installed on my day-to-day computer and configured with a derivative of the hisecws.inf (high-security workstation) security configuration template. The thought was that somehow this was causing setuid to not work in SUA/Interix 5.2, even though it had never been an issue in Interix 3.0 and 3.5.
Eventually, clutching at straws, I agreed to apply the "setup security" template which restores factory default settings to everything, including applying cascading permissions to the %SYSTEMROOT% directory.
With unfortunate lack of foresight, the SUA team decided to move the SUA directory from C:\SFU (or optionally anywhere) to %WINDIR%\SUA (with no option to put it somewhere else), which means that applying a security template mangles SUA by removing the specific UNIX permissions and replacing it with with the rest of the WINDOWS directory has. This makes SUA very broken.
Your options are then to repair/reinstall or reset all of the UNIX permissions manually--assuming you know what they are supposed to be. If you have binaries from the /Tools warehouse, you are in deeper trouble because the repair process will either not fix their permissions or clobber them with Microsoft's distributions of the files.
I went through this twice today. Once for applying the "setup security" template and again when restoring my hisec template.
Caveat emptor. You should configure security templates *before* installing SUA.
|
|
|
RE: Beware: applying any security templates will break SUA - Mar. 10, '06, 8:12:23 AM
|
|
|
breiter
Posts: 343
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Argh! I just realized that the "repair" function doesn't correct the permissions on the /dev file system. That leaves stuff still borked for non-administrators.
/bin/ksh: No controlling tty (open /dev/tty: Permission denied)
/bin/ksh: warning: won't have full job control
Welcome to the SUA utilities.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
|
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|