Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-Id: <5.1.0.14.0.20010710154844.02acf598@pop-server.cfl.rr.com>
X-Sender: psusi AT pop-server DOT cfl DOT rr DOT com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Tue, 10 Jul 2001 15:52:36 -0400
To: Corinna Vinschen <cygwin AT cygwin DOT com>
From: Phillip Susi <psusi AT cfl DOT rr DOT com>
Subject: Re: I can't find command su.exe
In-Reply-To: <20010709075304.F8578@cygbert.vinschen.de>
References: <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010708171355 DOT 02c86118 AT pop-server DOT cfl DOT rr DOT com>
 <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com>
 <0DAEDF148988D411BB980008C7E65D2E03A14C18 AT esealnt416>
 <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com>
 <20010708194325 DOT D8578 AT cygbert DOT vinschen DOT de>
 <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010708171355 DOT 02c86118 AT pop-server DOT cfl DOT rr DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 07:53 AM 7/9/2001 +0200, you wrote:

>You're right, we would need a server process to have a real `su'
>solution. We already discussed such a server process to support
>various features (su, suid-bit, ipc, ...) on the cygwin-developers
>list but that will need time. The need for the TCB privilege is a
>problem, actually. Fortunately Microsoft dropped the need to have
>the TCB privilege when calling LogonUser in XP but that doesn't
>really help as long as NT and W2K are still in use.

Right.

> > I was actually thinking of writing a replacement authentication dll that
> > would punt to the standard one unless a special username syntax was
> > entered, something like administrator!luser, and if the administrator
> > password was correct, it would log on as luser.  This would be nice 
> because
> > if you installed it on a domain controller, it would handle logon requests
> > from all clients in the domain, for local and remote access, not just 
> local.
>
>But authentication DLL's are actually running in TCB context as well.
>So the process connecting the authDLL would still need that privilege,
>right?
>
>Corinna
They are called by lsass.exe afaik.  The standard authentication dll 
performs the authentication, and builds the token for the user, so I 
thought why not install a hook to intercept specially formed logon 
requests, call the original package to authenticate the user trying to su, 
and if that succeeds, manually build a token for the user they are trying 
to su to.  For standard logon requests, just pass them on to the original 
package.

The difficulty with this is that the win2k ddk does not have any 
documentation on authentication packages that I can find, and the NT4 DDK 
documentation is sketchy at best.


   -->Phillip Susi
      psusi AT cfl DOT rr DOT com


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/