At 07:49 AM 6/9/2003 +0400, CoolCold wrote: >Hello Pierre, >> >PAH> How do you know sshd works? >PAH> Can you telnet into the box as a normal user? > >[EMAIL PROTECTED] ~ >$ ssh [EMAIL PROTECTED] >[EMAIL PROTECTED]'s password: >[EMAIL PROTECTED] ~ >$ id >uid=1004(gars) gid=513(None) groups=513(None),547(Power Users),545(Users) >so it works ;)
Yes. Stranger and stranger. Can you sshd as coolcold (the user with uid 1003)? Can you telnet as gars and/or coolcold Can exim deliver mail to gars? >PAH> What version of Windows do you have? >Windows 2003 Enterprise >[EMAIL PROTECTED] ~ >$ cmd -c ver >Microsoft Windows [Version 5.2.3790] >(C) Copyright 1985-2003 Microsoft Corp. Don't know about that one. There have been setuid problems reported with Windows server 2003. See list. >PAH> Does "ps -a" show that inetd has uid 18? >[EMAIL PROTECTED] ~ >$ ps -a|grep 18 > 3440 1 3440 3440 ? 18 03:28:47 /usr/bin/cygrunsrv > 2240 3440 3440 3708 ? 18 03:28:47 /usr/bin/exim-4.20-1 > 1568 1 1568 1568 ? 18 06:46:10 /usr/bin/cygrunsrv > 3332 1568 1568 2924 ? 18 06:46:10 /usr/sbin/sshd > 3356 3332 3356 3356 ? 18 06:46:15 /usr/sbin/sshd > 3888 3356 3888 3980 1 1003 06:46:18 /usr/bin/bash > 3480 3332 3480 3480 ? 18 07:39:31 /usr/sbin/sshd > >PAH> Does uid 18 appear several times in /etc/passwd ? >[EMAIL PROTECTED] ~ >$ less /etc/passwd |grep ":18" >SYSTEM::18:544:,S-1-5-18:/:/bin/bash > >>>In windows' event log I can see: >>>Event Type: Success Audit >>>Event Source: Security >>>Event Category: Privilege Use >>>Event ID: 576 >>>Date: 6/9/2003 >>>Time: 6:46:18 AM >>>User: WORKSTATION\coolcold >>>Computer: WORKSTATION >>>Description: >>>Special privileges assigned to new logon: >>> User Name: coolcold >>> Domain: WORKSTATION >>> Logon ID: (0x0,0x6526FC) >>> Privileges: SeChangeNotifyPrivilege >>> SeBackupPrivilege >>> SeRestorePrivilege >>> SeDebugPrivilege > >PAH> That looks normal and not related to the problem. >PAH> Wait. What happened at 6:46 am? Did you login at the console >PAH> or did you do something else? >this message is from "login system" command: >[EMAIL PROTECTED] ~ >$ login system;date >Switching to user system failed! > >Mon Jun 9 07:46:14 RDT 2003 Wait. The date above is 07:46:14. The dates below in the log are 7:39:33 AM >this is from windows event log: >Event Type: Success Audit >Event Source: Security >Event Category: Privilege Use >Event ID: 576 >Date: 6/9/2003 >Time: 7:39:33 AM >User: WORKSTATION\gars >Computer: WORKSTATION >Description: >Special privileges assigned to new logon: > User Name: gars > Domain: WORKSTATION > Logon ID: (0x0,0x71380D) > Privileges: SeChangeNotifyPrivilege > >For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. >---- >Event Type: Success Audit >Event Source: Security >Event Category: Logon/Logoff >Event ID: 528 >Date: 6/9/2003 >Time: 7:39:33 AM >User: WORKSTATION\gars >Computer: WORKSTATION >Description: >Successful Logon: > User Name: gars > Domain: WORKSTATION > Logon ID: (0x0,0x71380D) > Logon Type: 2 > Logon Process: Advapi > Authentication Package: Negotiate > Workstation Name: WORKSTATION > Logon GUID: - > Caller User Name: WORKSTATION$ > Caller Domain: WORKGROUP > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 3480 > Transited Services: - > Source Network Address: - > Source Port: - > > >For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. > > >PAH> Is there anything in the application log? >PAH> Is there anything interesting in /var/log/xxx.log ? >mmm...nothing really. > >PAH> Pierre (who sees it's 11:30 PM) > >Best regards, CoolCold >Time:7.49AM ,Jun 09 2003 I'll sleep over this! Meanwhile you should find another way to become SYSTEM. There was a recent mail from Corinna explaining how to do it with ssh. Others are using another trick involving scheduling run as, or some such. Once you are SYSTEM, try running strace login Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
