Mail Archives: cygwin-developers/2001/05/07/13:41:45
On Mon, May 07, 2001 at 11:56:02AM -0500, Parker, Ron wrote:
> > Then be sure to have an account with the SE_TCB_NAME "Act as part
> > of the operating system" privilege active since it's needed to
> > be able to contact the LSA subsystem which manages the user
> > authentication in NT/W2K. That right is by default only given to
> > LocalSystem. That's of course no advice to always create such an
> > account but it's only for testing purposes!
>
> Am I understanding properly that this privilege must be added to the user's
> log in account? If so, it seems to me that this would possibly introduce
> some further security issues.
If user A (say, root) wants to `su' to a user account B (say, ronald
mc donald), then user A needs SE_TCB_NAME privilege. But as I already
told in my description, I don't recommend to do that. It's a good
thing to just start sshd under LocalSystem account or another special
`sshd' account with that privilege to use RSA/DSA authentication to
logon to the system. Sshd is running as root on U*X system for exactly
that reason.
> A few years ago I created an "su" program that I use for various purposes on
> Windows NT/2000. It has a service that is run under an account that has
> that privilege and a few others. The service is an OLE server and can be
> called from any application with a user's name and password as well as the
> name of a program to be executed. The service then impersonates the
> requested user and executes the application. This avoids giving the user's
> account a privilege that IMO is dangerous.
I never recommended to do that. Not every user may change user
context. It's the decision of the admin to allow or disallow
that.
> I would recommend incorporating such functionality into a daemon like what I
> understand Egor was working on.
An extra service routine would never allow to just fork a
process. That would for example require to change various
parts of sshd to work. With the subauth DLL, sshd could
work as it's own service as described above.
> I have one question. Has anyone figured out a way in Windows to allow root
> to "su username" without knowing the users password?
That's exactly the problem my subauthentication DLL solves. It
provides a way to logon without password. Unfortunately there's
no way in NT/W2K to do that if you don't have the SE_TCB_NAME
or the SE_CREATE_TOKEN_NAME privilege. Interesting enough, _if_
you have SE_TCB_NAME privilege, that allows nevertheless changing
user context only if you know the password.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
- Raw text -