| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=g01CDinjPYW2EIqU | |
| xvvfOR7zlY/Y8nbVlECJ06rBzRgauUj4R9oXQ3u2NNeG3bNteEUKjWn6JH9ddRmx | |
| zV8cHLmLPj/6QIwLZttadJgnNNuNz1Cntvt6ndhH1htimPqf0Jqcnh4nWodh2FLF | |
| DEwORAX/zlsGIZKOohDPg8lwiOg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:reply-to:subject:to:references:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=4zhgVt2sqAyxA+X5Qdm5JR | |
| 7isYU=; b=cee4p2DagHROOpWFaSZOJAZFOAiUVvBNbIeelxQ7ud28AOuMQu6H4h | |
| ZrnVMT3k50PzkUdw34fejaV19igiALqj5eErATAt3VQ5WFKHw8JS9DZL4MYlNqJb | |
| MkKEI2hyvPr8rjRZKw7PnsiWeBnuYvXHMjDqL583rJjDDIo5SZW4Y= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=2.2 required=5.0 tests=AWL,BAYES_00,BODY_8BITS,GARBLED_BODY,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=became, SUCCESS, Startup, Automatic |
| X-HELO: | smtp-out-no.shaw.ca |
| X-Authority-Analysis: | v=2.2 cv=dZbw5Tfe c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=CCpqsmhAAAAA:8 a=w_pzkKWiAAAA:8 a=VhbRXo9mhEZV_6vHSNQA:9 a=QEXdDO2ut3YA:10 a=0LlgTFgmTo0A:10 a=OO2XiV6ZNdAA:10 a=ul9cdbp4aOFLsgKbc677:22 a=sRI3_1zDfAgwuvI8zelB:22 |
| Reply-To: | Brian DOT Inglis AT SystematicSw DOT ab DOT ca |
| Subject: | Re: openssh: privilege separation no longer supported on Cygwin? |
| To: | cygwin AT cygwin DOT com |
| References: | <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl> <aa5d0288-9842-fd07-ca9e-619324d00914 AT gmail DOT com> |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Message-ID: | <6b0d9174-fb5a-8904-13f4-84c7799e9a78@SystematicSw.ab.ca> |
| Date: | Wed, 31 May 2017 15:07:26 -0600 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <aa5d0288-9842-fd07-ca9e-619324d00914@gmail.com> |
| X-CMAE-Envelope: | MS4wfED3OySAyQFaVKqIfeTExrKi03DkkSGafP7jhu+hsE5r1DRY8FJHOCRmeCK1SiQ4VCXA6N0Ur9LFXnRU1Ii4cziRjepgTyffY3FOPACQY3BxJy7MXjBi 09sshKLuRxOfGyR1bMJml7zAQkmuib/ejymPBxvM8ThcR/GQWs+a1sTToudCuKe8G/bF35Ed/bJ4Uw== |
| X-IsSubscribed: | yes |
| Note-from-DJ: | This may be spam |
On 2017-05-31 13:52, Marco Atzeri wrote:
> On 29/05/2017 11:48, Houder wrote:
>> On 2017-05-29 10:39, Marco Atzeri wrote:
>>> On 29/05/2017 07:23, Houder wrote:
>>
>> [snip]
>>>> ... because, that is, I think, what I am seeing:
>>>>
>>>> - the userid of child sshd is still 'cyg_server' ...
>>>> - and I get an elevated shell when I login ...
>>>>
>>>> Not what I expected ...
>>>>
>>>> Gr. Henri
>>>>
>>>
>>> Hi Houder,
>>> please read the last Announcement
>>>
>>> https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html
>>
>> [snip]
>>> It seems you misunderstood the communication:
>>> - the possibility to NOT use "privilege separation" is deprecated
>>> - "privilege separation" will became mandatory
>>
>> Hi Marco,
>>
>> Sorry for the misunderstanding. Yes, to my knowledge, PS, privilege
>> separation, is now mandatory (using a new mechanism under Linux [1]).
>>
>> [1] sandboxing?
>>
>> Because of PS, I expect to see an UNprivileged sshd process talking
>> to the user process (where the ssh command has been executed).
>>
>> But above all, I expect an UNelevated shell when I login in ...
>>
>> However, what I get after login (after providing my credentials) is
>> an ELEVATED shell (yes, Administrators is part of the group set).
>
> Is your user a member of Administrators ?
>
>>
>> Now I wonder if this happens because I do NOT observe PS.
>>
>> Look below, please ... After executing the ssh command, ssh asks for
>> my credentials ... in stead of providing my credentials, I execute
>> the ps command in a second terminal. To my surprise, the grandchild
>> of the listener is executed using "cyg_server" and not "sshd" ...
>>
>> Currently, I am looking at:
>>
>> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>
>> Regards,
>> Henri
>>
>
> on my system as reported by lusrmgr.msc
> cyg_server is a privileged user member of Administrators
> sshd is a normal user as expected reading ssh-host-config.
>
> The cyg_server account can setuid to other users
> otherwise you can not change user id:
>
> $ pstree -u
> ?─┬─cygrunsrv(cyg_server)───sshd───sshd───bash(marco)───pstree
> ├─mintty(marco)───bash───ssh
> └─mintty(marco)───bash
You might want to look at the UG NT Security section on using LSA and
passwd -R to impersonate unprivileged userids.
Normally sshd is set up using the cyg_server account by ssh-host-config:
run cygrunsrv with -VQ (-QV doesn't work) to see most settings e.g.
$ cygrunsrv -VQ sshd
Service : sshd
Display name : CYGWIN sshd
Current State : Running
Controls Accepted : Stop, Preshutdown
Command : /usr/sbin/sshd -D
stdin path : /dev/null
stdout path : /var/log/sshd.log
stderr path : /var/log/sshd.log
Process Type : Own Process
Startup : Automatic
Dependencies : cygserver, tcpip
Account : .\cyg_server
you can also check the Windows view with:
$ sc qc sshd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: sshd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\...\cygwin64\bin\cygrunsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CYGWIN sshd
DEPENDENCIES : cygserver
: tcpip
SERVICE_START_NAME : .\cyg_server
and I have a script that lists all service registry settings for
checking, and works with all Windows services, not just Cygwin services
started by cygrunsrv:
$ scqc.sh sshd
sshd DelayedAutostart 1
sshd DependOnService cygserver tcpip
sshd DisplayName CYGWIN sshd
sshd ErrorControl 1
sshd ImagePath C:\...\cygwin64\bin\cygrunsrv.exe
sshd ObjectName .\cyg_server
sshd Parameters AppPath AppArgs Preshutdown
sshd Start 2
sshd Type 16
sshd Parameters/AppArgs -D
sshd Parameters/AppPath /usr/sbin/sshd
sshd Parameters/Preshutdown 1
enabling you to easily see what service settings to change using sc or
registry commands like Cygwin regtool or Windows reg, as cygrunsrv does
not support all sc settings, or dynamic changes, only -R remove and -I
install, which stops the service. Parameters is a standard subkey also
used by other non-Cygwin services.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |