Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <39BF30C5.80701514@cygnus.com>
Date: Wed, 13 Sep 2000 09:46:13 +0200
From: Corinna Vinschen <vinschen AT cygnus DOT com>
Reply-To: cygwin <cygwin AT sources DOT redhat DOT com>
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16 i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: cygwin <cygwin AT sources DOT redhat DOT com>
Subject: Re: how su works with no suid
References: <GHAPKPJLPBGGCAAA AT my-deja DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

edwede wrote:
> 
> ok, let me ask it a different way...
> 
> if I do an 'su - guest' it does not ask for password but just gives
> 'su: cannot set user id: Not owner'

Take a look into the sources of, say, `login'. You will see that you
need extra effort to get an user token from windows to be able to use
setuid/seteuid.

Documentation is available as well. It's currently not in the online
docs but if you download the sources of cygwin, you will find it in

`winsup/doc/ntsec.sgml', chapter "New setuid concept".

> in the end, i am trying to come up with an sshd version that installs as a service, uses rsa, etc...

There's already a ported working sshd. See that message:

http://sources.redhat.com/ml/cygwin/2000-09/msg00046.html

It provides RSA as long as you try to login as the owner of the sshd
process.

You will not be able to provide RSA authentication which will switch
the user context without writing your own LSA authentication or
subauthentication package.

> --- here is some more detail about the problem.
> I am logged into nt as my nt-domain user that has local nt-admin rights.
> 
> su and some other programs make a call to setuid or seteuid. In normal unix, the file 'su' is chmod to 4755 which is -rwsr-xr-x. There is no implementation of "set user execution bit on"

That's right. And if you want to switch the user context in NT
you'll have to stand on your head. You'll have to provide the
password which has to be given to a nt specific logon function
("LogonUser()" which is wrapped by Cygwin's "cygwin_logon_user()")
to get a so called "access token" which has to be used to impersonate
the user by calls to "ImpersonateLoggoedOnUser()" (wrapped by
cygwin_set_impersonation_token()") or "CreateProcessAsUser()" (wrapped
by "execve()"). See source of login for a simple example:

ftp://sources.redhat.com/pub/cygwin/latest/login/login-1.4-1-src.tar.gz

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                        mailto:cygwin AT sources DOT redhat DOT com
Red Hat, Inc.
mailto:vinschen AT cygnus DOT com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com