| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=XEUOCF1xTU6wl8gffBddp0SgL2X1O9SY9np04Hn+FkzRvHHpOQklK | |
| igazqmrSf0bhUct2lZTWa1jAapLOHSZj1ObSJFF3t3occfLIOO6C5P8fatiWvD3f | |
| q0UYsBQpygOOXM87RxxdvU6g1B4aMSUYmfT/1ZS7zUM9EHaOxcYnqc= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=wDZTFz23+JFbyZ+Nn1SAPrPm7V0=; b=wK13AlXc4KQo1gUtnLARoTH0gLhJ | |
| ZiM5l6fNhLyxmkKSzOfsUYrw8ZozUMmAufnjRpG6oY8v+ecTZ6Glwxsm/uy5C7rV | |
| 1LWdfZ0la58BjskbfcQMcchnRMlhsO4QrIsnnJ8DnK46vMRAeA4vQIE9Yzw9GoDq | |
| CMi8W+VMaIZm23A= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-101.9 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:2644, Seven, seven, informed |
| X-HELO: | drew.franken.de |
| Date: | Fri, 9 Jun 2017 11:00:36 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master |
| Message-ID: | <20170609090036.GH13513@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <09b517b4e22a170590f36f240383189b AT smtp-cloud3 DOT xs4all DOT net> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <09b517b4e22a170590f36f240383189b@smtp-cloud3.xs4all.net> |
| User-Agent: | Mutt/1.8.0 (2017-02-23) |
--AjmyJqqohANyBN/e
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Jun 8 16:46, Houder wrote:
> Hi Corinna,
>=20
> Maybe you are still around ... otherwise it will be for the next round.
>=20
> During my exercise with sshd I was "forced" :-) to study the User Guide, =
as I
> am not "well informed" :-P about the security model of Windows.
>=20
> I am referring to this paragraph:
>=20
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> (switching the user context)
>=20
> To get a bit more acquainted with the stuff, I decided to try your exampl=
e at
> the beginning of this paragraph - i.e. the example in subparagraph "Switc=
hing
> the user context WITH password authentication".
>=20
> (I modified the example in order to make a bit more "exciting" -- see bel=
ow)
>=20
> 64-@@# uname -a
> CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin
> 64-@@# editrights -u Henri -l
> SeLockMemoryPrivilege <=3D=3D=3D=3D no special? privileges ...
>=20
> 64-@@# ./setuid
> Password:
> BEFORE uid =3D 1000, gid =3D 513
> BEFORE euid =3D 1000, egid =3D 513
> AFTER uid =3D 1004, gid =3D 513
> AFTER euid =3D 1004, egid =3D 513
> Surprise: execl() failed: : Operation not permitted
> retval =3D -1
> Should not be reached ...
> 64-@@#
>=20
> First I tried adding SeTcbPrivilege ("extremely powerful", according to w=
hat I
> read at MSDN). Logoff/Logon ...
>=20
> That did not help. Got the same result. So, NOT that powerful ...
>=20
> Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ...
>=20
> 64-@@# ./setuid
> Password:
> BEFORE uid =3D 1000, gid =3D 513
> BEFORE euid =3D 1000, egid =3D 513
> AFTER uid =3D 1004, gid =3D 513
> AFTER euid =3D 1004, egid =3D 513
> sh-4.4$ id
> uid=3D1004(jvdwater) gid=3D513(None) groups=3D513(None),545(Users),11(Aut=
henticated Users)
> sh-4.4$ exit
> 64-@@#=20
>=20
> It might be ?obvious? to an expert on Windows (after having searched thro=
ugh
> MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required .=
..
>=20
> That is, when one is going to invoke CreateProcessAsUser() ...
>=20
> However, someone without that knowledge ...
> Perhaps a small note to that effect (special privilege required!) in "Swi=
tching
> the user context with password authentication" might help the 'innocent' =
reader.
You're not supposed to do that. setuid() is a privileged call, so it's
supposed to be called by a privileged process only. Do not add these
permissions to a normal user account unless you exactly know what you're
doing security-wise.
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--AjmyJqqohANyBN/e
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZOmO0AAoJEPU2Bp2uRE+go/wP/3mklqlNBhXPcfp1gAbngfP2
NSXOyh75QXbOKw2wHZuHZTr+SN/b4wxHfAcs4ThL6FJDxrUQDGc/7QIpXoOB0Xz6
rv/Mp7g5SfqLxrJgThh8q/mMq4YTNSjQgPjUG9FXSNb+nWRa/ROoV9PICVamqGAh
RewS6TqfqGvjh8BhJzVfflh0auGWVAzIHu+ymCrKgxH/ygT6PB079i3oKWA0gSRM
p+r6ZX/SnaiqL5W2zwREdtzNDV7Aqddf/IympBpyrgDDPHdTx6smzU+Su4mEV55u
xKnbivXwL3pTTXAs61roAMnVLCoz/ZzPHEmb4DxFLyWNkBjqQeA+bOHUYSmSNqBo
IOWhWng5hOROiVsmfOkZURymh3B8Rsu8ZeJu3rl6f+IG9lUA6Z/fKYX1866UpT7r
O5G09n1RtXWIlqrbVhgCCpeLqzVrYVZ1kp+HfLIx+Kk8lcig2t+nxsUa2hJZxEql
jDEnKkPILaV3o/vlQ66+z10BIeJwng0yO1pOaG8GDIUt0mdi0/JHEbjVq7X9DVVo
Dh2vqtw6odwrXlxvFS31Xbqks3UYoCz9jS1pz/kMl+hopchBCFItiT7T2lT+s/27
45UTg6qxcsMJIgta69IwNV3D90i9jLedQEu8Zy8ac3CmKm+i7uthQQNIQYxTsm0r
KGU0strWoArMZVow3PF2
=AbwH
-----END PGP SIGNATURE-----
--AjmyJqqohANyBN/e--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |