delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2003/01/13/22:17:51

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Mon, 13 Jan 2003 22:16:57 -0500 (EST)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Richard Troy <rtroy AT sciencetools DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: current state of credential hopping?
In-Reply-To: <Pine.LNX.4.33.0301131746310.32485-100000@denzel.in>
Message-ID: <Pine.GSO.4.44.0301132151450.10883-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0

On Mon, 13 Jan 2003, Richard Troy wrote:

> Hi All,
>
> One of the long-time known problems (limitations) with cygwin has been the
> lack of the ability to switch user identities, such as is done with the
> suid bit, and su utility. I know that as of last April, there was some
> talk of using the cygserver as a partial answer (with shared memory as a
> possible attack/leak point). I'm wondering about what's happened or is
> happening on this point and I've got a few practical questions and
> observations that relate.
>
> The primary question is simple, but does not appear to be reflected in the
> archive: Is anybody working on cygserver to get this technology
> implemented?
>
> I also observe that the sshd seems to be doing something a bit like this -
> how is it doing so? If we have an sshd doing something like this, why not
> have an su program? In fact, I have been taking advantage of the client
> side of ssh to ask a program be run for you on the "remote" system. Yeah,
> performance sucks, but then, at least it works! It does make for a crude
> 'su' program!
>
> A somewhat related observation is that when I use ssh to create a session
> on the system, it seems to work just fine HOWEVER, it does not have good
> access to disk shares. How might I go about providing my ssh clients who
> are a different user than is logged in into windows (or when noone is
> logged in!) access to disk shares? These other users, if logged into
> windows directly, have privileges for their own disk share access. The
> question then is, how can I mount volumes just for them? Do they need
> their own drive letters, or will they be private? ...I've read up on
> mount, but don't think this solves the problem: Simply accessing mounts
> which another user has the credentials for isn't quite right. The
> credentials should be based upon the rights of the user who's using
> them... That is to say, how/where do I tell it what username and password
> to use for the shares accessed? Or, will windows apply the correct
> credentials on my behalf? (I guess I could figure that out on my own with
> a lot of testing, but it'd be nice to get a straight answer if someone
> knows, please.)
>
> Thanks, and happy CYGWINning!
> Richard

Richard,

There is a fairly detailed discussion of this in the cygwin-developers
list archives for the past couple of months.

If I recall the details correctly, Windows NT security model allows for
switching the effective userid, but requires a special permission which by
default is given only to the LocalSystem user.  Thus, programs like
'login' or 'su' can only work for a user possessing such a permission.

sshd and telnetd (and cygserver) run under the LocalSystem account, so
they are able to switch user context to the authenticated user.  This is
why 'ssh user AT localhost' works.  One of the goals of cygserver, by my
recollection, was to provide a service running as LocalSystem accessible
to the cygwin DLL to perform tasks that require root-like permissions.
Since this service would have to be accessible to non-root processes (by
necessity), security would indeed be an issue.

Technically, nothing prevents an administrator on a machine from giving
this permission (called, I *think*, 'Create a token object') to a user
other than LocalSystem, which will then allow that user to run 'login'
successfully.  It is impractical from a security standpoint, however, to
give this permission to all users.

I think the situation is similar with the network shares, and one needs a
token to access them, but these are murky waters, and I don't claim to
fully understand these issues.

I'll only add that there also seems to be a difference between a
password-authenticated user token and a pubkey-authenticated user token,
and then I'll shut up and let experts like Pierre Humblet or Corinna
Vinschen correct my certainly naive interpretation.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Oh, boy, virtual memory! Now I'm gonna make myself a really *big* RAMdisk!
  -- /usr/games/fortune


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019