delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2017/05/31/15:52:34

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:subject:to:references:from:message-id:date
:mime-version:in-reply-to:content-type
:content-transfer-encoding; q=dns; s=default; b=HYycCePiZdmKV3cw
L5jeL8YNmoJ+lebQV9e8VVxhKhOLPHjmBMV4n6yCmVP8UoTZxTEO2I2r689jCHhh
od4ASdUUEglpWpldSuTwYsPv0JMq0jVEd5cEB30mSv300mm1lhTbHhuQzE+feaCl
um7mhNKODwTxbNZtwtWazdTt4dc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:subject:to:references:from:message-id:date
:mime-version:in-reply-to:content-type
:content-transfer-encoding; s=default; bh=aKJKDdmruJ9fXJQoQgD78/
MSoUQ=; b=Smpkt6JTHLu6/tieNAhsAjihzPrfVf5MdQieziUHwerYOwqW1Dkz5j
zFdDRb9S+vVATYaNOjKOetqLlj0c8e9gPtcyucCyZSIkeKnPiktfaQtXaicP2PIN
UPcQwK3P6N3IZCeTjS3UEBT8yFuRGaYaegwNmfSJdvLS2l8qoxFJw=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.8 required=5.0 tests=AWL,BAYES_00,BODY_8BITS,FREEMAIL_FROM,GARBLED_BODY,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy=became, userid, communication, announcement
X-HELO: mail-wm0-f53.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=obI+aKAqEkre4zbKW6wLgG2FicXgbqtigQQTpZOC8bA=; b=ZOYe2rl1LU6N4A3HMJ3jYXy5pRt1RdqU0cxr8LEXDT3w2CYbMnJPk8cEOaFdEL37ug cHs9rC8LB0xA9DXbvYBDRedSGfJiCLq8Ryb1cMl+a4khMKS0Rv5uG3CMaihUORqnwC+J b6Y2XmNDaej7hjvXSmc7fQjoN60J5fFg9w2CwCa7pYEX+9PoniwwC1mDpGIuJ90uEJx/ JXKQjDHDn3TOxmP3aRUJl5dTnBrDjkw7DZU1tPEFhhZOxGAL68maIHx5ReSaw3iPEcpX BnLnFP1IFPj+qELpLVSDSv8SFSeU+YdKvczLMLgCYXJR6PALZs2t9TgSC0SFgesYhxyO Mj4g==
X-Gm-Message-State: AODbwcDPU95sVe3zIGJrCQOKuFPG6AhMDtZ8ouH1ndg8v7VwzgGaKIDP 0iukolqY8v0DWU1UTaQ=
X-Received: by 10.223.128.208 with SMTP id 74mr18940429wrl.2.1496260334403; Wed, 31 May 2017 12:52:14 -0700 (PDT)
Subject: Re: openssh: privilege separation no longer supported on Cygwin?
To: cygwin AT cygwin DOT com
References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl>
From: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Message-ID: <aa5d0288-9842-fd07-ca9e-619324d00914@gmail.com>
Date: Wed, 31 May 2017 21:52:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20e2702ca3837f5d54c558f8e786c717@xs4all.nl>
X-IsSubscribed: yes
Note-from-DJ: This may be spam 

On 29/05/2017 11:48, Houder wrote:
> On 2017-05-29 10:39, Marco Atzeri wrote:
>> On 29/05/2017 07:23, Houder wrote:
>
> [snip]
>>> ... because, that is, I think, what I am seeing:
>>>
>>>  - the userid of child sshd is still 'cyg_server' ...
>>>  - and I get an elevated shell when I login ...
>>>
>>> Not what I expected ...
>>>
>>> Gr. Henri
>>>
>>
>> Hi Houder,
>> please read the last Announcement
>>
>> https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html
>
> [snip]
>> It seems you misunderstood the communication:
>> - the possibility to NOT use "privilege separation" is deprecated
>> - "privilege separation" will became mandatory
>
> Hi Marco,
>
> Sorry for the misunderstanding. Yes, to my knowledge, PS, privilege
> separation, is now mandatory (using a new mechanism under Linux [1]).
>
> [1] sandboxing?
>
> Because of PS, I expect to see an UNprivileged sshd process talking
> to the user process (where the ssh command has been executed).
>
> But above all, I expect an UNelevated shell when I login in ...
>
> However, what I get after login (after providing my credentials) is
> an ELEVATED shell (yes, Administrators is part of the group set).

Is your user a member of Administrators ?

>
> Now I wonder if this happens because I do NOT observe PS.
>
> Look below, please ... After executing the ssh command, ssh asks for
> my credentials ... in stead of providing my credentials, I execute
> the ps command in a second terminal. To my surprise, the grandchild
> of the listener is executed using "cyg_server" and not "sshd" ...
>
> Currently, I am looking at:
>
>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>
> Regards,
> Henri
>

on my system as reported by lusrmgr.msc
cyg_server is a privileged user member of Administrators
sshd is a normal user as expected reading ssh-host-config.

The cyg_server account can setuid to other users
otherwise you can not change user id:

$ pstree -u
?─┬─cygrunsrv(cyg_server)───sshd───sshd───bash(marco)───pstree
   ├─mintty(marco)───bash───ssh
   └─mintty(marco)───bash

Regards
Marco






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019