X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:message-id:from:to:subject:content-type; q=dns; s=default; b=WsFDr3L8edJULbrA3eTbBcNy/Jae7P0UgL6iuwQreTF GW7K2pBx6g9Xgq5NxjdXDUg+cQo3S9KN7PilXB6JAkUAqnnQm4n93qucEmLJ2UHy R4AIsVqG3XJZiqqWu8CU+P9hh0z5VU3WdACxJwvBl4GNOHWqrEID8HusXbfQwVj0 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:message-id:from:to:subject:content-type; s=default; bh=85atdXPpqNyczGQj0x2Q1txRh88=; b=DsJJSXdJZg9qFn3Bv LSku83yxxF09ZUnNtHSKMCeksDbGXpvH4hodtBEIsVcDBpZ3tqs6YzzixOrINnhX BR2+Po59QUzqqf5whWgr/C36GT+4kND5/Mvn0eGb1RxJ2APJyQVPUZLkTs343rBW FTLBdzsmo+uqBLjI6WtsnlJGNA= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-7.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Seven, Switching, acquainted, Surprise X-HELO: lb1-smtp-cloud3.xs4all.net Date: Thu, 08 Jun 2017 16:46:38 +0200 Message-ID: <09b517b4e22a170590f36f240383189b@smtp-cloud3.xs4all.net> From: Houder To: cygwin@cygwin.com Subject: Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master Content-Type: text/plain; charset=UTF-8; format=fixed User-Agent: mua.awk 0.99 Hi Corinna, Maybe you are still around ... otherwise it will be for the next round. During my exercise with sshd I was "forced" :-) to study the User Guide, as I am not "well informed" :-P about the security model of Windows. I am referring to this paragraph: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview (switching the user context) To get a bit more acquainted with the stuff, I decided to try your example at the beginning of this paragraph - i.e. the example in subparagraph "Switching the user context WITH password authentication". (I modified the example in order to make a bit more "exciting" -- see below) 64-@@# uname -a CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin 64-@@# editrights -u Henri -l SeLockMemoryPrivilege <==== no special? privileges ... 64-@@# ./setuid Password: BEFORE uid = 1000, gid = 513 BEFORE euid = 1000, egid = 513 AFTER uid = 1004, gid = 513 AFTER euid = 1004, egid = 513 Surprise: execl() failed: : Operation not permitted retval = -1 Should not be reached ... 64-@@# First I tried adding SeTcbPrivilege ("extremely powerful", according to what I read at MSDN). Logoff/Logon ... That did not help. Got the same result. So, NOT that powerful ... Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ... 64-@@# ./setuid Password: BEFORE uid = 1000, gid = 513 BEFORE euid = 1000, egid = 513 AFTER uid = 1004, gid = 513 AFTER euid = 1004, egid = 513 sh-4.4$ id uid=1004(jvdwater) gid=513(None) groups=513(None),545(Users),11(Authenticated Users) sh-4.4$ exit 64-@@# It might be ?obvious? to an expert on Windows (after having searched through MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required ... That is, when one is going to invoke CreateProcessAsUser() ... However, someone without that knowledge ... Perhaps a small note to that effect (special privilege required!) in "Switching the user context with password authentication" might help the 'innocent' reader. Regards. Henri ----- setuid.c: int main() { const struct passwd *user_pwd_entry = getpwnam ("jvdwater"); const char *cleartext_password = getpass ("Password:"); /* Patch the typical password test. */ HANDLE token; /* Try to get the access token from Windows. */ token = cygwin_logon_user (user_pwd_entry, cleartext_password); if (token == INVALID_HANDLE_VALUE) { printf("1\n"); exit(EXIT_FAILURE); } // error_exit; /* Inform Cygwin about the new impersonation token. */ cygwin_set_impersonation_token (token); /* Cygwin is now able, to switch to that user context by setuid or seteuid calls. */ printf("BEFORE uid = %4u, gid = %4u\n", getuid(), getgid() ); printf("BEFORE euid = %4u, egid = %4u\n", geteuid(), getegid() ); if (setgid (user_pwd_entry->pw_gid) != 0) // Use set[gu]id, NOT sete[gu]id { printf("3\n"); exit(EXIT_FAILURE); } if (setuid (user_pwd_entry->pw_uid) != 0) // Use set[gu]id, NOT sete[gu]id { printf("4\n"); exit(EXIT_FAILURE); } printf("AFTER uid = %4u, gid = %4u\n", getuid(), getgid() ); printf("AFTER euid = %4u, egid = %4u\n", geteuid(), getegid() ); // uid (and euid) should be set to jvdwater at this point int retval = execl ("/bin/bash", "sh", (char *) NULL); if (retval != 0) { perror("Surprise: execl() failed: "); } // SeAssignPrimaryTokenPrivilege missing? printf("retval = %d\n", retval); printf("Should not be reached ...\n"); } ==== -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple