Mail Archives: cygwin/2017/05/30/21:28:57

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2017/05/30/21:28:57

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:references:to:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=mDzsZW9nHtQKiYHx

ZD3vcz0t7/25P8p47p5yy6CnjIxreQnJbLGXDamIh8c2Q8Sy9xRsu3/FHc9bcmRa

DcdnDc9r9/KQM9CpooFZlPdQwk61kyWXqj99fF6EroO7lo0D9TFP5BrKkoNihDr5

Vr9K8/h+wXbfjNx1Lfdd4CvS6RU=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:references:to:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=huKUT0bx/+vcIdgq31Cluc

F30As=; b=Q5Ok0Qy/FkFTeArgFWjjI4ZQX/WIlkNBN+BVINhlDqG2AoMEUyFHPf

ax9qPTF+RemKV8oBfk2PqEj2yb08THfEKsHNV64BmrQatDhquyhe2zcm7VHpSLvt

JQ2zvSxjbKWLt+od0seXw8e4ZVKrnEQUP3T6HCgWrW7f9KsOdjdsc=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-102.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,PLING_QUERY,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=H*UA:i686, H*u:i686, larry, Larry

X-HELO: pool-173-76-164-160.bstnma.fios.verizon.net

Reply-To: cygwin AT cygwin DOT com

Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!

References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl> <b16023ad6735108510ae351a8378a420 AT xs4all DOT nl> <262615c8cf6e134cedf97b0280c4a68f AT smtp-cloud2 DOT xs4all DOT net>

To: cygwin AT cygwin DOT com

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>

Message-ID: <592E1C49.6020202@cygwin.com>

Date: Tue, 30 May 2017 21:28:41 -0400

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

MIME-Version: 1.0

In-Reply-To: <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>

On 05/30/2017 09:50 AM, Houder wrote:
> On Mon, 29 May 2017 19:14:30, Houder wrote:
>
> [snip]
>> As if the "sshd" account is NEVER, NEVER used during the _whole_ process
>> (that is, there is NO privilege separation, as far as I can tell).
>
> .. wanted to share this experience with you.
>
>   - deleted user/account 'sshd' # net user sshd /delete
>   - modified the last part (rid?) of the sid belonging to user/account 'sshd'
>     in xxxx (in /etc/passwd)
>   - rebooted
>
> Before reboot, I changed 'sshd' in an automatic service (was: manual)
>
> After the system had rebooted:
>
>   - 'cygrunsrv -Q sshd' shows 'sshd' running ...
>   - 'tail -f /var/log/sshd.log' shows 'sshd' listening ...
>   - 'net user' shows user/account 'sshd' gone ...
>
> I can still use ssh ... (both password authentication and key authentication)
>
> Yes, if I remove user/account 'sshd' completely from /etc/passwd, only
> then 'sshd' won't start ...

Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
your case, you're apparently using /etc/passwd and so that's where the
mapping happens.  You can map the UID of a Cygwin user to any valid Windows
SID by editing the SID as you did.  This doesn't change how things look in
the Cygwin environment (i.e. the UID and user name are still the same) but
it does make a difference to Windows.  So the fact that you can change the
SID for the 'sshd' user and still get it to run is not all that surprising,
assuming that the new Windows SID that you're using as 'sshd' now has at
least similar permissions.  Of course, if you remove Cygwin's understanding
of 'sshd' so that it can't do the mapping of UID to SID or even have a
valid UID, then subsequent problems are not unexpected.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=mDzsZW9nHtQKiYHx
	ZD3vcz0t7/25P8p47p5yy6CnjIxreQnJbLGXDamIh8c2Q8Sy9xRsu3/FHc9bcmRa
	DcdnDc9r9/KQM9CpooFZlPdQwk61kyWXqj99fF6EroO7lo0D9TFP5BrKkoNihDr5
	Vr9K8/h+wXbfjNx1Lfdd4CvS6RU=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:references:to:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=huKUT0bx/+vcIdgq31Cluc
	F30As=; b=Q5Ok0Qy/FkFTeArgFWjjI4ZQX/WIlkNBN+BVINhlDqG2AoMEUyFHPf
	ax9qPTF+RemKV8oBfk2PqEj2yb08THfEKsHNV64BmrQatDhquyhe2zcm7VHpSLvt
	JQ2zvSxjbKWLt+od0seXw8e4ZVKrnEQUP3T6HCgWrW7f9KsOdjdsc=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-102.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,PLING_QUERY,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=HUA:i686, Hu:i686, larry, Larry
X-HELO:	pool-173-76-164-160.bstnma.fios.verizon.net
Reply-To:	cygwin AT cygwin DOT com
Subject:	Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!
References:	<d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl> <b16023ad6735108510ae351a8378a420 AT xs4all DOT nl> <262615c8cf6e134cedf97b0280c4a68f AT smtp-cloud2 DOT xs4all DOT net>
To:	cygwin AT cygwin DOT com
From:	"Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Message-ID:	<592E1C49.6020202@cygwin.com>
Date:	Tue, 30 May 2017 21:28:41 -0400
User-Agent:	Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version:	1.0
In-Reply-To:	<262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net>