This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Suggestions for cron/suid script? (accessing network shares)


> > I recently got cron set up on my Win2K box.  What a treat not to have to
use
> > Windows' built in scheduler!  Given that cron runs as SYSTEM, what I'm
> > wondering is this: Is there any way to get cron to see my network
shares?
> > Specifically, I'm tar/gzipping my Cygwin home dir and want to copy the
> > tarball to a directory on my LAN (Novell share) for which my account for
> > which my logged-in account is the only trustee.  When I run a script
that
> > tries to map it with "net use", I get an error that implies a
permissions
> > issue.  I'm not likely to be able to convince the network folks to
change
> > permissions to add my local SYSTEM acct to this share, so I wonder if
> > there's some way to do it with, say, an SUID perl script or something.
I
> > briefly tried creating one, but not being super familiar with suid, I'm
> > having no luck.  Any advice would be welcome. Thanks!
>
> There are some earlier messages in the archives on this (including a
recent
> one from me).  The short answer seems to be "sorry, you can't do it".
>
> Being a nosy type, and a bit stubborn, I'm still trying to either:
> a) Understand exactly why I can't do it, or better
> b) Figure out how to do it.
>
> Pursuing a):
> I put an "id" and an "env" and a "net use" in one of the scripts I run
from
> cron.
>
> "id" returns:
>      uid=11823(dond) gid=18(SYSTEM) groups=0(Everyone),18(SYSTEM),\
>     10513(Domain Users),11459(Special)
> ("dond" is my domain user login; I broke the line myself.)  The only
> difference here from running under the Cygwin shell is the gid; in the
> latter case, the gid is 11459.  It appears that crond is indeed "su"ing to
> my user, although keeping its own group.
>
> Among the "env" output occurs the following:
> CYGWIN=tty ntsec
>
> "net use" gives:
>     Status       Local     Remote                    Network
>     ----------------------------------------------------------------------
---------
>     Unavailable  H:        \\server1\d$          Microsoft Windows Network
>     Unavailable  I:        \\server2\d$           Microsoft Windows
Network
>     Unavailable  K:        \\server3\users        Microsoft Windows
Network
>     Disconnected           \\server4\common      Microsoft Windows Network
>     The command completed successfully.
>
> Finally, I tried "net use u: '\\server5\Users\dond'", and got the
following:
>     System error 53 has occurred.
>     The network path was not found.
>     New connections will be remembered.
>
> So, the question seems to become: why doesn't "su"ing to my domain user
give
> the process "enough power" to see network paths?
I don't think the setuid bit works by default. That woud require a 'watcher'
process (i.e. cygserver) which had sufficient priveleges to log on as a user
without a password to set the new processes' token.

These links explain why the SYSTEM account can't access network drives:

Service Running as System Account Fails Accessing Network (Q124184)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q124184

Local System Account and Null Sessions in Windows NT (Q132679)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q132679

Using the System Account as a Service in Windows NT 3.5 (Q122702)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q122702

Regards
Chris



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]