Mail Archives: cygwin/2011/10/15/13:33:00
> On Oct 14 21:14, Corinna Vinschen wrote:
> > On Oct 14 20:23, Corinna Vinschen wrote:
> > > On Oct 14 11:18, Andrew Schulman wrote:
> > > > So the difference AFAICT is the membership in the Administrators group.
> > > > Notice also in the two listings below, that by password authentication,
> > > > backup gets
> > > >
> > > > Mandatory Label\High Mandatory Level
> > > >
> > > > while by pubkey, he gets
> > > >
> > > > Mandatory Label\Medium Mandatory Level
> > > >
> > > > whatever those are.
> > >
> > > That's an UAC thingy. Keep in mind that Cygwin has to create the user
> > > token from scratch here, given that you are using passwored-less setuid
> > > method 1
> > > (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview).
> > > I'm not aware of a method to fetch the mandatory level SID a user is
> > > supposed to get, so what Cygwin does is simply to base the mandatory
> > > level SID on the membership in the admins group.
> >
> > I just debugged this and now I know why this happens. The problem
> > is the aforementioned Mandatory Label. A user token which has medium
> > mandatory level can not enable these privileges, even if they are in
> > the user token. If I create the token with high mandatory level,
> > it's no problem to enable the backup/restore permissions at process
> > startup.
> >
> > However, I don't think it's a good idea to set the high mandatory level
> > on a token unconditionally. This should only be done if the token
> > contains certain privileges. The problem now is to find out which
> > permissions are affected by this. I don't see any list of privileges
> > on MSDN in terms of UAC restriction. Oh well, no pain, no gain.
>
> I applied a patch to CVS which should solve this problem in a generic
> way. I observed how Windows handles the privileges when creating a
> token and your scenario should be nicely covered now. I also dropped a
> somewhat dangerous behaviour in terms of security when creating a token
> from scratch.
Thank you. I'll test the next snapshot and let you know how it goes.
You said that Cygwin should only set the high mandatory level if the token
contains certain privileges. So I guess that SeBackupPrivilege and
SeRestorePrivilege are among the ones that trigger the high mandatory
level? Anything more we should know about that?
The complexity of this thing sure is growing. Amazing that new wrinkles
are still being found.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -