Web lists-archives.com

Re: Accessing SMB share as wrong user?




On 2017-05-29 22:15, David Dyer-Bennet wrote:
> On 5/29/2017 22:49, Brian Inglis wrote:
>> On 2017-05-29 12:37, David Dyer-Bennet wrote:
>>> On 5/29/2017 12:45, Brian Inglis wrote:
>>>> On 2017-05-29 11:16, David Dyer-Bennet wrote:
>>>>> A simpler case demonstrating this; X0 is a new share (created just
>>>>> for testing this) with no prior history, nothing manually set.
>>>>> (Server is FreeNAS, current version).
>>>>> From the beginning, when it first sees it, it shows the file owners 
>>>>> and groups weirdly.
>>>>> And then it's able to create a file and write to it *once*, but
>>>>> can't then append to it???
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ id
>>>>> uid=197608(David Dyer-Bennet) gid=197121(None)
>>>>> groups=197121(None),197609(Ssh
>>>>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
>>>>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
>>>>> Authentication),401408(Medium Mandatory Level)
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ ls -ld .
>>>>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ getfacl .
>>>>> # file: .
>>>>> # owner: Unknown+User
>>>>> # group: Unix_Group+1001
>>>>> user::rwx
>>>>> group::rwx
>>>>> other:r-x
>>>>> default:user::rwx
>>>>> default:group::rwx
>>>>> default:group:Unix_Group+1001:rwx
>>>>> default:mask:rwx
>>>>> default:other:r-x
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ echo something > foobar
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ ls -l foobar
>>>>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ getfacl foobar
>>>>> # file: foobar
>>>>> # owner: Unknown+User
>>>>> # group: Unix_Group+1001
>>>>> user::---
>>>>> group::r--
>>>>> other:r--
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ echo more >> foobar
>>>>> -bash: foobar: Permission denied
>>>>
>>>> See Cygwin User's Guide section on Switching the user context:
>>>> $ cygstart
>>>> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>>> OR
>>>> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>>
>>> That appears to be instructions on how to temporarily, in code, act as
>>> another user.  My problem is that when I create a Bash shell, it
>>> accesses network drives as the wrong user.  It may be possible for me to
>>> write a version of Bash that switches to the right (default) user using
>>> that information, but why is it *necessary*?  Local drives are accessed
>>> fine.
>>
>> That is the description of what Cygwin does to emulate a user context
>> for remote access to shares - you may want to set up and try methods 1,
>> 2, and 3 to see what works with your network shares.
> 
> It's never been necessary before; why is it suddenly necessary now?

It may be because there were major changes a few? releases ago, to use
SAM and AD info and eliminate the need for or use of passwd and group,
support nsswitch to customize this, support some customizations allowed
with passwd and group in another manner, and support POSIX and Windows
ACLs.

> And, again, what it is describing is how to do that *temporarily in
> code*, not permanently at the command line.

It tells you how Cygwin implements security, how to change your
environment to use those mapping methods to get access to network
shares, the impact, and tradeoffs you may have to make. It describes
setting up LSA authentication using cyglsa-config, and using passwd -R,
optionally with cygserver, to get access to network shares, and for
other uses.

>> First step may be to change or remap your userid to one not containing
>> spaces using /etc/passwd; see
>> 	https://cygwin.com/faq.html#faq.setup.name-with-space
>> then
>> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
> 
> Instructions are bad, they refer (in 2.16) to a nonexistent windows
> management tool "GUI user manager".  The actual tool, the "local users
> and groups" tool within "computer management", has no facility to change
> a username.

Then recreate /etc/passwd and /etc/group, and change what you need, as
long as it does not cause a Cygwin conflict with what is in SAM or AD.

I am well aware not everything got easier with W7 and W10 changes.
Controls and features that could easily be abused by idiots or malware
were removed, and replaced by more restrictions, commands, registry
manipulation tools, and languages, that made many things harder to do,
unless the available GUI did all that you wanted, and you have the
privilege to do so. I have some scripts to do from the unprivileged
command line what I can otherwise do only via a GUI run as admin!

-- 
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple