Re: Intermittent Cron Errors

Wed, 08 Jul 2009 15:30:29 -0700 

----- Original Message ----- 
From: "Rajiv Garg"
To: "Pierre A. Humblet"
Sent: Wednesday, July 08, 2009 5:47 PM
Subject: Re: Intermittent Cron Errors


|
| Pierre,
|
| Thanks for your reply.
|
| Yes, both the job and service are running under the same account 
(orderworker).  I was looking 
into this a bit more, and found that we are getting the following event in our 
security event 
log at the exact time of the cron "can't switch user context" error.
|
| Event Type:       Failure Audit
| Event Source:    Security
| Event Category: Privilege Use
| Event ID:           577
| Date:               7/8/2009
| Time:              4:30:17 PM
| User:              <domain>\orderworker
| Computer:      OMS1
| Description:
| Privileged Service Called:
| Server:                       NT Local Security Authority / Authentication 
Service
| Service:                      LsaRegisterLogonProcess()
| Primary User Name:    OMS1$
| Primary Domain:         <domain>
| Primary Logon ID:       (0x0,0x3E7)
| Client User Name:      orderworker
| Client Domain:
| Client Logon ID:         (0x0,0xF1C649B8)
| Privileges:                 SeTcbPrivilege
|
| This seems to confirm that it's an sporadic authentication issue between our 
server and our 
domain controllers, not cron or cygwin-related.  I'm going to try to track this 
issue down and 
failing that, may try building a special version of cron to bypass setuid per 
your suggestion. 
I should be able to handle that, but if I have trouble, I may drop you a line.
***************

Rajiv,

Good investigation but I am not sure how you arrive at the conclusion.

I can reproduce the same audit failure by attempting to setuid to another user 
without being 
privileged.
strace shows the following:
   50  336755 [main] a 536 set_privilege: -1 = set_privilege ((token 6F4) 
SeTcbPrivilege, 1)
  930  337685 [main] a 536 subauth: LsaRegisterLogonProcess: -1073741759
which matches what your security log shows.

So it looks like in your case cygwin does not recognize that the setuid should 
be a noop and 
tries to get a new security token. That behavior is flagged by the security 
audit.
The attempt to get a new token may be due to a problem obtaining the groups of 
the user from the 
PDC, in an earlier call to initgroups. Unfortunately cron does not check the 
return value of 
that call.
If you can do it easily, there is some value in running the test program I sent 
you.

Pierre



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply via email to