Mail Archives: cygwin/2006/01/09/10:00:33

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2006/01/09/10:00:33

X-Spam-Check-By: sourceware.org

Date: Mon, 9 Jan 2006 16:00:22 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: 'su' no longer working?

Message-ID: <20060109150022.GE32312@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <Pine DOT GSO DOT 4 DOT 63 DOT 0601051732360 DOT 5388 AT slinky DOT cs DOT nyu DOT edu> <43BDF429 DOT 5050206 AT byu DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0601052353210 DOT 9477 AT slinky DOT cs DOT nyu DOT edu> <20060109125839 DOT GD32312 AT calimero DOT vinschen DOT de> <Pine DOT GSO DOT 4 DOT 63 DOT 0601090803110 DOT 20978 AT slinky DOT cs DOT nyu DOT edu> <43C27274 DOT 2090402 AT byu DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0601090928570 DOT 20978 AT slinky DOT cs DOT nyu DOT edu>

Mime-Version: 1.0

In-Reply-To: <Pine.GSO.4.63.0601090928570.20978@slinky.cs.nyu.edu>

User-Agent: Mutt/1.4.2i

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

On Jan  9 09:30, Igor Peshansky wrote:
> On Mon, 9 Jan 2006, Eric Blake wrote:
> 
> > According to Igor Peshansky on 1/9/2006 6:04 AM:
> > >
> > > Right, that's pretty much what I was asking for above.  Eric, if it
> > > helps, I can look into submitting the patch later this week, though I
> > > haven't looked at the coreutils code in a while, so it might take some
> > > time to understand the specifics.
> >
> > I've already been playing some with a cygwin-specific patch.  Using the
> > tips at http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid, I have
> > already gotten a working implementation that will switch user context on
> > NT machines with a password.  But I still want to get passwordless
> > switching working where possible.  The patch should apply to src/su.c
> > provided in the 5.93-2 source tarball from setup.exe, as a starting
> > point for your hacking.
> 
> Ok, thanks, I'll play around with it...
> 
> > Speaking of which, I noticed that in my attached patch (work in
> > progress), I got a failure return for PrivilegeCheck on my NT machine
> > when run as SYSTEM, even though my understanding is that on NT, SYSTEM
> > has the privileges of passwordless context switching.  Any ideas what I
> > might need to fix to make this check more robust, short of just trying a
> > setuid() to see if it will succeed without first doing the
> > cygwin_logon_user()/cygwin_set_impersonation_token() check?
> 
> Heh, what's wrong with doing that?  If setuid() fails, try it with a
> password -- I can't think of any caveats, frankly...  Corinna?

It's fine if su implements password login and trying to call set(e)uid
just to check if passwordless login might work is fine, too, but it's
a bit off my point.

My point is that Administrators don't have the permissions to do any one
of these actions by default.  You can't change user context unless you
have a service running under a privileged (SYSTEM) account, which starts
the process for you (RunAs, sshd).  The important fact here is that
users working under an Admin account expect that su just works for them,
but it doesn't.

So, whatever you do codewise, be prepared to either add descriptive
messages to su so that users read *why* su might fail for them, or
be prepared to get lots of question on this list (since nobody reads
mailing list archives anyway).


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Date:	Mon, 9 Jan 2006 16:00:22 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: 'su' no longer working?
Message-ID:	<20060109150022.GE32312@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<Pine DOT GSO DOT 4 DOT 63 DOT 0601051732360 DOT 5388 AT slinky DOT cs DOT nyu DOT edu> <43BDF429 DOT 5050206 AT byu DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0601052353210 DOT 9477 AT slinky DOT cs DOT nyu DOT edu> <20060109125839 DOT GD32312 AT calimero DOT vinschen DOT de> <Pine DOT GSO DOT 4 DOT 63 DOT 0601090803110 DOT 20978 AT slinky DOT cs DOT nyu DOT edu> <43C27274 DOT 2090402 AT byu DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0601090928570 DOT 20978 AT slinky DOT cs DOT nyu DOT edu>
Mime-Version:	1.0
In-Reply-To:	<Pine.GSO.4.63.0601090928570.20978@slinky.cs.nyu.edu>
User-Agent:	Mutt/1.4.2i
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com