Mail Archives: cygwin/2005/01/29/10:25:54
Here is a suggested replacement text for the "Switching User Context" section.
Pierre
Since Cygwin release 1.3.3, applications that are member of the Administrators
group and have the "Create a token object", "Replace a process level token"
and
"Increase Quota" user rights can switch user context without giving a password
by just calling the usual setuid, seteuid, setgid and setegid functions.
On Nt and Win2000 the SYSTEM user has these privileges and can run services
such
as sshd. However on Windows 2003, SYSTEM is lacking the "Create a token
object"
right. It is then necessary to create a special user with all the necessary
rights,
as well as "Logon as a service", to run such services.
For security reasons this user should be denied the rights to logon
interactively
or over the network. All this is done by configuration scripts such as
ssh-host-config.
An important restriction of this method is that a process started under a
local
account can't access network shares that require authentication. This also
applies
to the subprocesses that switched the user context without a password.
People using
network home drives are typically not able to access it when trying to
login using ssh
or rsh without password.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -