Mail Archives: cygwin/2001/07/10/15:55:09
At 07:53 AM 7/9/2001 +0200, you wrote:
>You're right, we would need a server process to have a real `su'
>solution. We already discussed such a server process to support
>various features (su, suid-bit, ipc, ...) on the cygwin-developers
>list but that will need time. The need for the TCB privilege is a
>problem, actually. Fortunately Microsoft dropped the need to have
>the TCB privilege when calling LogonUser in XP but that doesn't
>really help as long as NT and W2K are still in use.
Right.
> > I was actually thinking of writing a replacement authentication dll that
> > would punt to the standard one unless a special username syntax was
> > entered, something like administrator!luser, and if the administrator
> > password was correct, it would log on as luser. This would be nice
> because
> > if you installed it on a domain controller, it would handle logon requests
> > from all clients in the domain, for local and remote access, not just
> local.
>
>But authentication DLL's are actually running in TCB context as well.
>So the process connecting the authDLL would still need that privilege,
>right?
>
>Corinna
They are called by lsass.exe afaik. The standard authentication dll
performs the authentication, and builds the token for the user, so I
thought why not install a hook to intercept specially formed logon
requests, call the original package to authenticate the user trying to su,
and if that succeeds, manually build a token for the user they are trying
to su to. For standard logon requests, just pass them on to the original
package.
The difficulty with this is that the win2k ddk does not have any
documentation on authentication packages that I can find, and the NT4 DDK
documentation is sketchy at best.
-->Phillip Susi
psusi AT cfl DOT rr DOT com
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -