This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: cygwin_logon_user() not working

From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
To: msg <michael dot grigoni at cybertheque dot org>
Cc: cygwin at cygwin dot com
Date: Fri, 11 Jul 2003 19:55:20 -0400 (EDT)
Subject: Re: cygwin_logon_user() not working
Reply-to: cygwin at cygwin dot com

On Fri, 11 Jul 2003, msg wrote:

> Corinna, thanks much for your reply; please bear with me here
> (in case I'm missing something):
>
> > On Fri, Jul 11, 2003 at 11:56:09AM -0500, msg wrote:
> > > be owned by the new uid.  The code fails on the call to
> > > cygwin_logon_user() which returns -1 (invalid HANDLE). The output
> > > of 'strace' on this program shows cygwin_logon_user() extracting
> > > the /etc/passwd information followed by a 'windows error 1314' which
> > > is 'unknown' and converted to error 13.
> >
> > But you did look what error 1314 means, right?
>
> Indeed:
> 1314 0x0522  A required privilege is not held by the client.
>
> > > We've tried running the program from a bash shell logged-in as
> > > user 'root' and again logged-in as user 'Administrator' with no
> > > difference (Windows logins, not cygwin 'login' logins).
> >
> > So it runs as expected.  Admin accounts don't have the right to call
> > LogonUser up to W2K. This would only work on XP and 2003.
>
> Are you saying it won't work regardless of the privilege settings
> on Win2k (I presume you mean it won't work unless the needed
> privileges are granted)?

It won't work with *default* privileges.

> > You have to add the SeTcpPrivilege to the user who should call
> > LogonUser.  See
> > http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID for the needed
> > user privileges (up to W2K).
>
> Yes, I carefully studied both the pdf users' guide and the online
> version prior to posting and insured that all of the mentioned
> privileges were granted to user 'root' and to user 'Administrator'
> including SeTcpPrivilege (Act as part of the operating system).
> These were all in place during testing.

Your best bet to find the minimal necessary set of rights would be to
start by replicating the rights of the SYSTEM account for "root" and then
removing these rights one by one until things stop working.

> We don't have any native Win2k/NT debugging or development tools;
> what can we do to troubleshoot this?
>
> Michael Grigoni

Well, you could go to Control Panels->Administrative Tools->Local Security
Policy (or run "%SystemRoot%\system32\secpol.msc /s"), then go to Local
Policy->User Rights Assignment, and see whether the necessary rights are
assigned to the "root" user.  You could use a screenshot of the maximized
window at that point to show that the rights have indeed been assigned (if
anyone knows of a free ["ntrights" you have to pay for] command line tool
to print/change user rights, please don't hesitate to correct me).
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- Re: cygwin_logon_user() not working
  - From: msg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]