[Samba] Debugging Privilege and Samba 3.0.11

JLB jlb at twu.net
Fri Feb 25 18:48:09 GMT 2005


On Fri, 25 Feb 2005, Thierry wrote:

> Date: Fri, 25 Feb 2005 19:25:14 +0100
> From: Thierry <Thierry at echotech.ch>
> To: samba at lists.samba.org
> Subject: [Samba] Debugging Privilege and Samba 3.0.11
>
> Hello,
>
> I am striving to give out globally to our developers a way to debug
> their C++ applications, but I do not want to give them Admin rights on
> the individual workstations.

You're foolish if you think anyone with local access to a workstation
can't get into the Admin account on their local machine.

Here is a boot disk suitable for changing or blanking the Administrator
password on any NT box:

http://home.eunet.no/~pnordahl/ntpasswd/

Here is a boot disk suitable for mounting Linux partitions and editing
/etc/passwd and/or /etc/shadow:

http://www.toms.net/rb/

Here is a tool that lets you remove or alter BIOS passwords:
http://www.cgsecurity.org/index.html?cmospwd.html

Here is a provider of screwdrivers. Screwdrivers let you physically reset
BIOSes, remove or replace drives, install logging devices, etc.:

http://www.homedepot.com/


>
> I thought I found the light when reading on MSDN that to debug users
> need to be members of the "Debugger Users" group (according to VS.Net).
> This group seems to be created with a random SID when installing VS.Net
> on the computer.
> I created the group on the Samba domain , even removed the Local group
> on the computer where VS was installed, but any attempt to debug with a
> "Domain User" account is moot : ends up with "permission refused" when I
> want to attach to a process.
>
> Now I think that maybe the real right to debug a process is bound to the
> SeDebugPrivilege privilege on the Domain.
> Unfortunately attempts to perform
> net rpc rights grant 'LAB\Debugger Users' SeDebugPrivilege
> ends up with NT_STATUS_NO_SUCH_PRIVILEGE .
>
> I even tried to manually add the "Debugger Users" group to the Local
> Security Policy of the computer to the "Debug" rights , but it doesn't
> work either.
>
> Can anybody shed some light on the way I can reach my simple goal : give
> developers a way to debug, without giving away "Domain Admin" rights to
> them?
>
> (Yes, I know, this security is not perfect, but hey, I did not invent
> the Windows security model either...)
>
> Thank you for any help!
>
> Cheers
> Thierry
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

--
J. L. Blank, Systems Administrator, twu.net


More information about the samba mailing list