Mail Archives: cygwin-developers/2001/05/04/10:31:10
Wow! Thank you for this!!!
I recall it being a big task :]
I do hope it wasn't _too_ big.
Rob
----- Original Message -----
From: "Corinna Vinschen" <vinschen AT redhat DOT com>
To: "cygdev" <cygwin-developers AT cygwin DOT com>
Sent: Saturday, May 05, 2001 12:00 AM
Subject: New subdirectory in winsup
> Hi,
>
> I have just added a new subdirectory to winsup called "subauth".
> To update your local sandbox you'll have to change to your
> $(cygwinsrcdir)/winsup directory and call `cvs up -d'.
>
> That new subdirectory contains the code to generate a
subauthentication
> DLL which allows the new code in cygwin/security.cc to change the
> user context without providing a password on NT/W2K systems.
>
> The installation is somewhat tricky. When you've successfully build
> the DLL, you'll have to copy it into your $SYSTEMROOT/system32
> directory. It's unfortunately not enough to add for example
> C:\cygwin\bin to the system environment PATH variable so that
> subauth DLLs are searched there, too.
>
> Then you'll have to add a registry entry to
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0
>
> The new value should be named "Auth255", type REG_SZ, and should
contain
> the string "CYGSUBA". If for some reason your system already contains
> an "Auth255" value, create an "Auth254" or so (NEVER "Auth0"!!!) and
> add the following to your CYGWIN variable:
>
> CYGWIN= ... subauth_id:254 ...
>
> The default value of "subauth_id" is 255 according to the above
> description and the recommendation of Microsoft.
>
> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!
>
> Then reboot as you should be used to as a Windows user.
>
> After logging in as the user which has the SE_TCB_NAME privilege,
> you should be able to use the good old `su' which you probably
> still have on your system to change the user context.
>
> If you don't have `su', just try the following test app:
>
> =========================
> #include <unistd.h>
> #include <stdio.h>
> #include <pwd.h>
> #include <grp.h>
>
> int
> main(int argc, char **argv)
> {
> uid_t uid;
> gid_t gid;
> int pid, s;
>
> if (argc < 3)
> {
> fprintf (stderr, "usage: %s uid gid\n", argv[0]);
> return 1;
> }
> gid = getegid ();
> uid = geteuid ();
> printf ("BEFORE: uid: %d, gid: %d\n", geteuid (), getegid ());
> setegid (atoi (argv[2]));
> seteuid (atoi (argv[1]));
> printf ("AFTER: uid: %d, gid: %d\n", geteuid (), getegid ());
> switch (pid = fork ())
> {
> case -1:
> fprintf (stderr, "fork failed\n");
> break;
> case 0:
> printf ("CHILD: uid: %d, gid: %d\n", geteuid (), getegid ());
> execlp ("bash", "bash", "--login", NULL);
> fprintf (stderr, "exec failed\n");
> break;
> default:
> wait (&s);
> break;
> }
> setegid (gid);
> seteuid (uid);
> printf ("BACK: uid: %d, gid: %d\n", geteuid (), getegid ());
> return 0;
> }
> =========================
>
> Corinna
>
> --
> Corinna Vinschen Please, send mails regarding Cygwin
to
> Cygwin Developer
mailto:cygwin AT cygwin DOT com
> Red Hat, Inc.
>
- Raw text -