| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
Problems with Limited Users
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 Problems with Limited Users - Apr. 28, '06, 12:06:22 AM
|
|
|
Mancat
Posts: 6
Joined: Apr. 27, '06,
Status: offline
|
Hi,
I've never experienced this problem before, and I'm pulling my hair out. I have a fresh install of XP Pro SP2, with all of the latest security updates installed. In fact, almost nothing else besides Interix and one game have been installed.
The problem is, no limited users can start a shell. When attempting to start a shell as a limited user, the following application error is logged to the Event Log:
Source: Interix EventID: 1017
Unexpected Exception pid=195 cid=0x70c.0x710 code=0xc0000022 fc=0
Administrator *can* start a shell, but I can not 'su' to a user within his shell; trying to do so produces a "/bin/sh: Permission denied." error. I checked the permissions on /bin/ksh, which /bin/sh links to. They are 775. /bin/tcsh has the same permissions.
Facts:
- I've installed and uninstalled Interix multiple times. No difference.
- Interix was initially installed on a striped volume. For the hell of it, I reinstalled it to the main system volume. No difference.
- Setuid and case sensitivity have always been enabled. It's not my first time using or installing Interix, so I never miss those two settings.
- I created additional new limited user accounts to eliminate the possibility of some strange user account setting breaking Interix. All of the new accounts suffered the same fate.
This is pretty weird. The only thing I haven't tried yet is reinstalling Windows. This system is completely fresh, so I have no clue what could be broken in the Windows install.
|
|
|
|
|
RE: Problems with Limited Users - Apr. 28, '06, 12:52:04 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
It's a permissions problem on the user's home directory.
The "/bin/sh: Permission denied" is a message from /bin/sh that it cannot chdir() to the users home.
Understand that the home directory is what is listed in the user database.
The output from "finger user" will show this information.
If you haven't set a home directory it will show up as "/".
Refer to the FAQ about setting a home directory.
|
|
|
|
|
RE: Problems with Limited Users - Apr. 28, '06, 3:23:08 AM
|
|
|
Mancat
Posts: 6
Joined: Apr. 27, '06,
Status: offline
|
Thanks for the reply Rodney. It doesn't look like that is the problem in this case. I've used Interix for some time, so I always set the home directory when creating users. Here's some 'finger' info from a test user:
Login: testuser Name: testuser
Directory: /dev/fs/C/Documents and Settings/testuser Shell: /bin/sh
Never logged in.
No Mail.
No Plan.
And, if this helps at all, here's 'truss' output from the command: su - testuser
tracing pid 1219
getdata() getdata returned 0
getrlimit() getrlimit returned 0
pthread_inform_signals() pthread_inform_signals returned 0
prio() prio returned 0
prio() prio returned 0
getids() getids returned 0
getids() getids returned 0
getpwuid(0x301F4, 0x1) getpwuid returned 0
getpwnam(MANIMAL\Administrator) getpwnam returned 0
getpwnam(testuser) getpwnam returned 0
getids() getids returned 0
setuser(testuser 0 0 0x0) setuser returned 0
getpdomain() getpdomain returned 16 0x10
uidtontsid() uidtontsid returned 0
gettzenv() gettzenv returned 0
winpath2unix() winpath2unix returned 0
winpath2unix() winpath2unix returned 0
winpath2unix() winpath2unix returned 0
winpath2unix() winpath2unix returned 0
prio() prio returned 0
write(2, 0x81F044, 4) su: write returned 4
write(2, 0x81F060, 7) /bin/shwrite returned 7
write(2, 0x81F048, 2) : write returned 2
write(2, 0x81F044, 18) Permission denied
write returned 18 0x12
lseek(0, 1, 0) lseek returned 0
lseek(0, 0, 0) lseek returned 0
exit(1) process exited with status 1
%
|
|
|
|
|
RE: Problems with Limited Users - Apr. 28, '06, 12:49:40 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The setuser() call returned successfully. So the process (su) became
that user. No problem. The truss only follows su, it doesn't
follow any children (/bin/sh in this case).
The o/p message from /bin/sh is still "Permission denied" which means that
the shell (/bin/sh) could not change to the user's home directory. This is
the problem that must be resolved. Check all of the pathname components for
access by the user. If you do an "ls -l" and the permissions show a
"+" then it means there is an ACE in the ACL that can't be displayed using
standard Unix permissions; given the pathname this is very likely. That ACE
may be what's affecting it. You can check it in more detail using cacls.
Likely you'll need to clobber the home directory to just reset the permissions.
Best to use the Interix utilities, not Win32 (chown and chmod).
|
|
|
|
|
RE: Problems with Limited Users - Apr. 28, '06, 8:09:28 PM
|
|
|
Mancat
Posts: 6
Joined: Apr. 27, '06,
Status: offline
|
Rodney,
Everything looks fine with permissions. I played around with a couple test accounts, even giving "Everyone" full access rights.
Here is a look at the permissions on "C:\Documents and Settings":
C:\Documents and Settings NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
BUILTIN\Users:R
BUILTIN\Power Users:R
Everyone:R
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
Everyone:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
And on a test user's home directory:
C:\Documents and Settings\interixtest.MANIMAL BUILTIN\Administrators:(OI)(CI)F
Everyone:(OI)(CI)F
MANIMAL\interixtest:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Doesn't look like there should be any access errors there.
I did run across this MS KB article. Both of the disks in this system are dynamic disks. There are three volumes: two small 8GB volumes, and two 30GB volumes configured as a striped set. This doesn't seem to apply to XP Pro, but it sure would explain a lot, because I don't see any other problem.
http://support.microsoft.com/default.aspx?scid=kb;en-us;872958
|
|
|
|
|
RE: Problems with Limited Users - Apr. 28, '06, 9:30:59 PM
|
|
|
Mancat
Posts: 6
Joined: Apr. 27, '06,
Status: offline
|
Okay. I wiped all volumes on the machine and reinstalled XP Pro SP2. No other updates were installed, no other changes made to the system after installation. SFU was installed immediately. A limited user account was created. I logged into this account to create the home directories, and then entered the user's home directory into the user database. Once I logged into this user's account again, I could open a shell with no problems. Everything worked.
I then converted the system disk from Basic to Dynamic. This required a reboot. After the disk was converted, Interix no longer works for the limited user account.
The user was 'testuser.' Permissions on "C:\Documents and Settings" and "C:\Documents and Settings\testuser" remained identical before and after the conversion from Basic to Dynamic disk.
Humph. I give up. Why would Interix break on a dynamic disk?
One thing worth mentioning: I used Filemon to monitor file access activity. Some Interix processes attempt to access directories on C:\, but assert a path of "C:\??\C:\WINDOWS\system32" for example. A "NAME INVALID" error is generated by these accesses. What's going on?
< Message edited by Mancat -- Apr. 28, '06, 9:37:26 PM >
|
|
|
|
|
RE: Problems with Limited Users - Apr. 30, '06, 2:32:37 PM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
Its a bug in Interix subsystem.
See http://www.interopsystems.com/tools/tm.aspx?m=1283&mpage=1&key=dynamic%2cdiskԃ
and Microsoft's KB article (KB Article Number(s): 872958)
|
|
|
|
|
RE: Problems with Limited Users - May 1, '06, 2:00:34 PM
|
|
|
Mancat
Posts: 6
Joined: Apr. 27, '06,
Status: offline
|
Thanks for verifying, Mark.
The KB says that 'dmio.sys' needs to be patched to solve this issue. Is this all that is required to resolve this? If so, do you know if the patched 'dmio.sys' from 2000/2003 Server will work correctly with XP? I may give it a try.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
