Having problem with XP AND su AND kix - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Advanced Scripting » Having problem with XP AND su AND kix

Page 1 of 2

Topic Options

#73685 - 2003-02-26 09:03 AM Having problem with XP AND su AND kix
Mandala Mandala Fresh Scripter Registered: 2003-02-17 Posts: 36	Following my old topic (see Crypted external files for more explication. here is the link Crypted external ), i've got another trouble with the su.exe tool This tool works well on 2000 but seems to give trouble on XP. If you execute it from a local dir on xp, it works well but if you call it from a shared or network drive it gives an error. (even if the su.exe is on a local drive) the error is ---------------------------------- CreateProcessAsUser error! (rc=247) le nom de répertoire est incorrect (translate: directory name incorrect) ---------------------------------- Does someone had the same trouble with XP Pro ? Does someone know a solution ? Does someone have a more recent version of the SU ? mine is 78096 octets It seems that a fix exists somewhere but i didn't find it on the web If someone could help... P.MAQUOI _________________________ P.Maquoi Cellule Antivirus du M.E.T. pmaquoi@met.wallonie.be
Top

#73686 - 2003-02-26 09:42 AM Re: Having problem with XP AND su AND kix
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	you use kixcrypt, right? not sure but quickie... add all the needed files to the package (including su.exe) mm... maybe you should wait for someone that has at some point used su to get answer to your actual fix-question. _________________________ ! download KiXnet
Top

#73687 - 2003-02-26 11:43 AM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Just to pad out the information - we've had some private mail on this, here is an excerpt: quote: I've had a quick look around the web, and it looks like it may be a problem with the "su" command. Here is one page that mentions a similar problem: http://www.swynk.com/friends/Hobbs/offtopic.asp#CreateProcessAsUs er%20/%20The%20handle%20is%20invalid%20error If you are using "su" from the W2K resource kit there is a hot-fix, detailed here: http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b265401 The MS page reports a hotfix, but there I believe it is one of those "contact a representative" types which is not generally available for download - this is the fix that Mandala refers to. As he mentions, the process works on W2K clients, but fails on XP. [ 26. February 2003, 11:45: Message edited by: Richard H. ]
Top

#73688 - 2003-02-26 11:57 AM Re: Having problem with XP AND su AND kix
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Mandala, IT's a bug!!! Discovered it too, contacted M$ for the patch, no results!!! Workaround: Use SETL to set environment variables (su_drive,su_server,su_share) and let su start a script which makes the connection before doing anything else code: ;-------------------- ;Call_KIXSU.kix SETL "su_drive=p:" SETL "su_server=\\servername" SETL "su_share=share" ;start su here running KIXSU.kix ;-------------------- ;KIXSU.kix use %su_drive% %su_server%+"\"+%su_share% ;Start whatever you like here Don't forget to verify the connection!!! _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#73689 - 2003-02-27 12:08 AM Re: Having problem with XP AND su AND kix
Mandala Mandala Fresh Scripter Registered: 2003-02-17 Posts: 36	Me again I've tested the NT4 version and the W2000 version of SU. The same problem with these two if called from a network/shared drive on XP P.MAQUOI Cellule Antivirus du MET virus@met.wallonie.be _________________________ P.Maquoi Cellule Antivirus du M.E.T. pmaquoi@met.wallonie.be
Top

#73690 - 2003-02-26 01:03 PM Re: Having problem with XP AND su AND kix
Mandala Mandala Fresh Scripter Registered: 2003-02-17 Posts: 36	like MightyR1 said code: SetL "su_drive=n:" SetL "su_server=\\d420x1" SetL "su_share=netlogon" SetL "SU_PASSWORD=phmphm" Shell 'su.exe phm "SU_COMMANDLINE=d:\kixtest\Kix32.exe d:\kixtest\connect.kix"' that calls another kix code: Use %su_drive% %su_server%+"\"+%su_share% BUT ... if it's done like this, another window is opened by the shell command and the SET parameters are ignored. IF I use SETM the parameters are ok, the error code returned by USE is 0 (success) but i don't see the shared dir on the letter N For the moment, i just want to throw my xp (and the computer) through a window for a (very) long time Mandala Mandala _________________________ P.Maquoi Cellule Antivirus du M.E.T. pmaquoi@met.wallonie.be
Top

#73691 - 2003-02-26 01:27 PM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Whoa! Be very careful about which environment variables you are setting. Some of them are in the machine environment and will be available to unrelated sessions. They may also be persistant. Bad move if someone opens a DOS window, types "set" and can see your password in plain text
Top

#73692 - 2003-02-26 02:02 PM Re: Having problem with XP AND su AND kix
Mandala Mandala Fresh Scripter Registered: 2003-02-17 Posts: 36	yes i know it's not secured the target is just to try to find a way to use SU.exe For the normal script, i'll use kixcrypt to declare the login and the password. These script are just for test purpose _________________________ P.Maquoi Cellule Antivirus du M.E.T. pmaquoi@met.wallonie.be
Top

#73693 - 2003-02-26 02:37 PM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Patrick, Is your solution one suggested by Microsoft, or one that you discovered independantly? What it the reasoning behind the work-around?
Top

#73694 - 2003-02-26 02:45 PM

Re: Having problem with XP AND su AND kix

MightyR1 Offline

MM club member

Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands

What did I do???

Well...

code:

;;;;;TST.KIX;;;;;
Break on
SetL "SU_COMMANDLINE=.\wkix32.exe d:\kix\tst\tst_2.kix"
SetM "SU_Server=\\@wksta"
SetM "SU_share=\admin$$"
SetM "SU_drive=O:"
Shell @scriptdir+"\tst_SU"
SetM "SU_Server="
SetM "SU_share="
SetM "SU_drive="
Exit 0

code:

;;;;;TST_2.KIX;;;;;
Break on
Use %SU_drive% %SU_server%+%SU_share%
If @error
  $rc=MessageBox("Error (@error) while connecting %SU_drive% to %SU_server%"+"%SU_share%.","")
Else
  $rc=MessageBox("Connected %SU_drive% to %SU_server%"+"%SU_share% succesfully.","")
EndIf
Use %SU_drive% /d
If @error
  $rc=MessageBox("Error (@error) while disconnecting %SU_drive% from %SU_server%"+"%SU_share%.","")
Else
  $rc=MessageBox("Disconnected %SU_drive% from %SU_server%"+"%SU_share% succesfully.","")
EndIf
Exit 0

code:

;;;;;TST_SU.KIX;;;;;
SetL "SU_PASSWORD="+$SU_password
Shell '"@scriptdir\su.exe" admin "%SU_COMMANDLINE%"'
Exit 0

I made an exe of tst_su.kix with the command:

code:

wkixcrypt -f "D:\Kix\tst\WKIX32.EXE" -f "D:\Kix\tst\SU.EXE" -m "" -e 

""""%%KIXCRYPTDIR%%\wkix32.exe""" """%%KIXCRYPTFILE%%""" $SU_PASSWORD=********" 

"D:\Kix\tst\tst_su.kix"

I think this works and is secure...

[ 26. February 2003, 23:54: Message edited by: MightyR1 ]

_________________________
Greetz,
Patrick Rutten

- We'll either find a way or make one...
- Knowledge is power; knowing how to find it is more powerful...
- Problems don't exist; they are challenges...

Top

#73695 - 2003-02-26 02:56 PM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Patrick, To make your solution a little more secure, change your TST_SU.KIX to: code: ;;;;;TST_SU.KIX;;;;; SetL "SU_PASSWORD="+$SU_PASSWORD Shell 'su admin "%SU_COMMANDLINE%"' Exit 0 And change the encryption line to: code: wkixcrypt -f "D:\Kix\tst\WKIX32.EXE" -f "D:\Kix\tst\SU.EXE" -m "" -e """"%KIXCRYPTDIR%\wkix32.exe """%KIXCRYPTFILE%""" $SU_PASSWORD=*****" "D:\Kix\tst\tst_su.kix" (Sorry about the long line guys)* Doing it this way ensures that the password is never visible in it's unencrypted form - it is passed directly on the command line as a variable assignment. Even if someone gets a view of your unencrypted script, they will not see the password.
Top

#73696 - 2003-02-26 03:04 PM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Patrick, I'm not picking on you, but there is one more thing you should change to ensure that your script is secure. Whenever you call an external command (using Shell, Run or whatever) be sure to fully qualify the command. You have done this in almost every case expect where you call "su". If a savvy use places a copy of "su.exe" higher in the execution chain (PATH) there is a possibility that will get executed instead of the one in your package, and the one that they place there may not be benign. Prefix the "su" with either @SCRIPTDIR or %KIXCRYPTDIR% to be sure that it is running your version.
Top

#73697 - 2003-02-26 03:12 PM Re: Having problem with XP AND su AND kix
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Thnx for the tips... Will adjust... _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#73698 - 2003-02-26 04:02 PM Re: Having problem with XP AND su AND kix
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Hmm, that sounds like another reason not to use SU. The more I read about it the less I like it. At least with the Task Scheduler I don't need to expose the usernames passwords in the client machines and can protect them. _________________________ There are two types of vessels, submarines and targets.
Top

#73699 - 2003-02-26 10:42 PM Re: Having problem with XP AND su AND kix
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Jens, looked in the past at scheduletask(). Was just wondering how it could be used to do an install on demand? _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#73700 - 2003-02-26 11:56 PM Re: Having problem with XP AND su AND kix
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Richard, your kixcrypt line didn't work for me. I edited my previous post so it contains the in my opinion correct kixcrypt line. Please verify... _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#73701 - 2003-02-27 04:12 AM Re: Having problem with XP AND su AND kix
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Patrick: The way I install applications is as follows: 1) Create a silent install package for the application and put it onto a secure share (accessible to admins only) 2) Create a batch file that contains the command line to install the application and a second line to delete the batch file 3) Copy the batch file to the client on which you want to install the application, e.g into the %WINDIR% directory 4) Schedule a task executing the copied batch file under an administrative account The above is a very simplified version. However, for more information, take a look at the Kixtart Systems Management Server. _________________________ There are two types of vessels, submarines and targets.
Top

#73702 - 2003-02-27 08:33 AM Re: Having problem with XP AND su AND kix
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Jens, I took a look at KSMS, but this isn't a solution for me... I'd like the install of software be initiated by the user. To use the KSMS method I need a deamon running on the server which checks client requests all the time (< 10 secs). This can be done, but ... The easy way is to do it with SU and KiXCrypt. _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#73703 - 2003-02-27 10:27 AM Re: Having problem with XP AND su AND kix
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Patrick, Apologies for any typos - I didn't actually go through the process of making the package. You got the idea which was the point, and your modified line looks OK to me.
Top

#73704 - 2003-02-27 02:06 PM Re: Having problem with XP AND su AND kix
Mandala Mandala Fresh Scripter Registered: 2003-02-17 Posts: 36	I used the procedure that MightyR1 described with his three files this works also fine if launched from a local dir but not from a shared dir (netlogon dir) we have the same message "CreateProcessFromUser" when the su started from the netlogon dir Oh what a quest ! _________________________ P.Maquoi Cellule Antivirus du M.E.T. pmaquoi@met.wallonie.be
Top

Page 1 of 2

Previous Topic View All Topics

Index Next Topic

Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org