Mail Archives: cygwin/2001/10/18/06:14:36

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2001/10/18/06:14:36

Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>

List-Archive: <http://sources.redhat.com/ml/cygwin/>

List-Post: <mailto:cygwin AT sources DOT redhat DOT com>

List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>

Sender: cygwin-owner AT sources DOT redhat DOT com

Delivered-To: mailing list cygwin AT sources DOT redhat DOT com

Date: Thu, 18 Oct 2001 10:53:58 +0200

From: Corinna Vinschen <cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: [ssh-l] Running commands under the SYSTEM account ?

Message-ID: <20011018105358.P1696@cygbert.vinschen.de>

Mail-Followup-To: cygwin AT cygwin DOT com

References: <010601c15746$16aeb480$7e64a8c0 AT int DOT netacumen DOT com> <3BCDE821 DOT 1C046627 AT cportcorp DOT com> <000001c1574b$d21b9030$7e64a8c0 AT int DOT netacumen DOT com> <3BCDF32C DOT 73DA4578 AT cportcorp DOT com> <01b701c1575b$37d8a570$7e64a8c0 AT int DOT netacumen DOT com> <3BCE0BED DOT 7000702 AT nothing-on DOT tv>

Mime-Version: 1.0

User-Agent: Mutt/1.2.5i

In-Reply-To: <3BCE0BED.7000702@nothing-on.tv>; from tmh@nothing-on.tv on Wed, Oct 17, 2001 at 11:53:33PM +0100

On Wed, Oct 17, 2001 at 11:53:33PM +0100, Tony Hoyle wrote:
> Creating a shell from this impersonated account should work exactly the 
> same as if LogonUser had been used.

No, there is a significant difference.

Using NtCreateToken() the process doesn't create a so-called
"Logon Session".  A logon session has a unique logon identifier
(a LUID) which gets created by the LSA authentication module running
while logon authentication takes place.  Since NtCreateToken()
doesn't call any LSA auth module, no logon session ID gets created. 
To have a valid logon session ID nonetheless, the call to
NtCreateToken() has to use one of two "well-known" logon session
ID's, SYSTEM_LUID or ANONYMOUS_LOGON_LUID. 

The next problem is that a authentication token contains invisible
information (from the GetTokenInformation() point of view).  When
a user logs on using the `official' way (LogonUser is one of them),
that user has given credentials (password).  These credentials are
saved in the created logon session to authenticate the user against
servers on the net and such stuff.  Again, we have the problem that
no unique logon session has been created, so no credentials are stored
anywhere.  If you try to `net use' a share the appropriate error
message is generated: "A specified logon session does not exist."

So everything is bound to creating a logon session.

To make that really clear:

**************************************************************************
*                                                                        *
* I don't know any way to create a logon session outside of a lsa        *
* authentication module.  Even if I know the call which has to be used   *
* from inside a LSA authentication module to create a logon session,     *
* I don't know how to write a lsa authentication module.  If anybody can *
* help out here we could probably create a technique to change user      *
* context in Cygwin _with_ remote share access.                          *
*                                                                        *
**************************************************************************

And:

**************************************************************************
*                                                                        *
* Unless we don't have a method which creates a logon session without    *
* the need to give a password, access to shares is restricted to either  *
* public shares or to logon methods using a password (ssh w/ password,   *
* telnet.                                                                *
*                                                                        *
**************************************************************************

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Mailing-List:	contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin AT sources DOT redhat DOT com
Date:	Thu, 18 Oct 2001 10:53:58 +0200
From:	Corinna Vinschen <cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: [ssh-l] Running commands under the SYSTEM account ?
Message-ID:	<20011018105358.P1696@cygbert.vinschen.de>
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<010601c15746$16aeb480$7e64a8c0 AT int DOT netacumen DOT com> <3BCDE821 DOT 1C046627 AT cportcorp DOT com> <000001c1574b$d21b9030$7e64a8c0 AT int DOT netacumen DOT com> <3BCDF32C DOT 73DA4578 AT cportcorp DOT com> <01b701c1575b$37d8a570$7e64a8c0 AT int DOT netacumen DOT com> <3BCE0BED DOT 7000702 AT nothing-on DOT tv>
Mime-Version:	1.0
User-Agent:	Mutt/1.2.5i
In-Reply-To:	<3BCE0BED.7000702@nothing-on.tv>; from tmh@nothing-on.tv on Wed, Oct 17, 2001 at 11:53:33PM +0100