This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: exim - failed to read delivery status


At 07:49 AM 6/9/2003 +0400, CoolCold wrote:
>Hello Pierre,
>>
>PAH> How do you know sshd works?
>PAH> Can you telnet into the box as a normal user?
>
>coolcold@workstation ~
>$ ssh gars@localhost
>gars@localhost's password:
>gars@workstation ~
>$ id
>uid=1004(gars) gid=513(None) groups=513(None),547(Power Users),545(Users)
>so it works ;)

Yes. Stranger and stranger.

Can you sshd as coolcold (the user with uid 1003)? 
Can you telnet as gars and/or coolcold
Can exim deliver mail to gars?

>PAH> What version of Windows do you have? 
>Windows 2003 Enterprise
>gars@workstation ~
>$ cmd -c ver
>Microsoft Windows [Version 5.2.3790]
>(C) Copyright 1985-2003 Microsoft Corp.

Don't know about that one. There have been setuid problems
reported with Windows server 2003. See list.

>PAH> Does "ps -a" show that inetd has uid 18?
>gars@workstation ~
>$ ps -a|grep 18
>     3440       1    3440       3440    ?   18 03:28:47 /usr/bin/cygrunsrv
>     2240    3440    3440       3708    ?   18 03:28:47 /usr/bin/exim-4.20-1
>     1568       1    1568       1568    ?   18 06:46:10 /usr/bin/cygrunsrv
>     3332    1568    1568       2924    ?   18 06:46:10 /usr/sbin/sshd
>     3356    3332    3356       3356    ?   18 06:46:15 /usr/sbin/sshd
>     3888    3356    3888       3980    1 1003 06:46:18 /usr/bin/bash
>     3480    3332    3480       3480    ?   18 07:39:31 /usr/sbin/sshd
>
>PAH> Does uid 18 appear several times in /etc/passwd ?
>gars@workstation ~
>$ less /etc/passwd |grep ":18"
>SYSTEM::18:544:,S-1-5-18:/:/bin/bash
>
>>>In windows' event log I can see:
>>>Event Type:     Success Audit
>>>Event Source:   Security
>>>Event Category: Privilege Use 
>>>Event ID:       576
>>>Date:           6/9/2003
>>>Time:           6:46:18 AM
>>>User:           WORKSTATION\coolcold
>>>Computer:       WORKSTATION
>>>Description:
>>>Special privileges assigned to new logon:
>>>        User Name:      coolcold
>>>        Domain:         WORKSTATION
>>>        Logon ID:               (0x0,0x6526FC)
>>>        Privileges:     SeChangeNotifyPrivilege
>>>                        SeBackupPrivilege
>>>                        SeRestorePrivilege
>>>                        SeDebugPrivilege
>
>PAH> That looks normal and not related to the problem.
>PAH> Wait. What happened at 6:46 am? Did you login at the console
>PAH> or did you do something else?

>this message is from "login system" command:
>gars@workstation ~
>$ login system;date
>Switching to user system failed!
>
>Mon Jun  9 07:46:14 RDT 2003

Wait. The date above is 07:46:14. The dates below in the log 
are 7:39:33 AM

>this is from windows event log:
>Event Type:     Success Audit
>Event Source:   Security
>Event Category: Privilege Use 
>Event ID:       576
>Date:           6/9/2003
>Time:           7:39:33 AM
>User:           WORKSTATION\gars
>Computer:       WORKSTATION
>Description:
>Special privileges assigned to new logon:
>        User Name:      gars
>        Domain:         WORKSTATION
>        Logon ID:               (0x0,0x71380D)
>        Privileges:     SeChangeNotifyPrivilege
>
>For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>----
>Event Type:     Success Audit
>Event Source:   Security
>Event Category: Logon/Logoff 
>Event ID:       528
>Date:           6/9/2003
>Time:           7:39:33 AM
>User:           WORKSTATION\gars
>Computer:       WORKSTATION
>Description:
>Successful Logon:
>        User Name:      gars
>        Domain:         WORKSTATION
>        Logon ID:               (0x0,0x71380D)
>        Logon Type:     2
>        Logon Process:  Advapi  
>        Authentication Package: Negotiate
>        Workstation Name:       WORKSTATION
>        Logon GUID:     -
>        Caller User Name:       WORKSTATION$
>        Caller Domain:  WORKGROUP
>        Caller Logon ID:        (0x0,0x3E7)
>        Caller Process ID: 3480
>        Transited Services: -
>        Source Network Address: -
>        Source Port:    -
>
>
>For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>
>
>PAH> Is there anything in the application log?
>PAH> Is there anything interesting in /var/log/xxx.log ?
>mmm...nothing really.
>
>PAH> Pierre (who sees it's 11:30 PM)
>
>Best regards, CoolCold
>Time:7.49AM ,Jun 09 2003

I'll sleep over this!
Meanwhile you should find another way to become SYSTEM.
There was a recent mail from Corinna explaining how
to do it with ssh. Others are using another trick involving
scheduling run as, or some such.
Once you are SYSTEM, try running 
strace login

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]