Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Tue, 10 Jul 2001 22:14:10 +0200
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin <cygwin AT cygwin DOT com>
Subject: Re: I can't find command su.exe
Message-ID: <20010710221410.X8578@cygbert.vinschen.de>
Mail-Followup-To: cygwin <cygwin AT cygwin DOT com>
References: <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010708171355 DOT 02c86118 AT pop-server DOT cfl DOT rr DOT com> <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com> <0DAEDF148988D411BB980008C7E65D2E03A14C18 AT esealnt416> <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com> <20010708194325 DOT D8578 AT cygbert DOT vinschen DOT de> <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010708171355 DOT 02c86118 AT pop-server DOT cfl DOT rr DOT com> <20010709075304 DOT F8578 AT cygbert DOT vinschen DOT de> <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010710154844 DOT 02acf598 AT pop-server DOT cfl DOT rr DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.1.0.14.0.20010710154844.02acf598@pop-server.cfl.rr.com>; from psusi@cfl.rr.com on Tue, Jul 10, 2001 at 03:52:36PM -0400

On Tue, Jul 10, 2001 at 03:52:36PM -0400, Phillip Susi wrote:
> At 07:53 AM 7/9/2001 +0200, you wrote:
> >But authentication DLL's are actually running in TCB context as well.
> >So the process connecting the authDLL would still need that privilege,
> >right?
> >
> >Corinna
> They are called by lsass.exe afaik.  The standard authentication dll 
> performs the authentication, and builds the token for the user, so I 
> thought why not install a hook to intercept specially formed logon 
> requests, call the original package to authenticate the user trying to su, 
> and if that succeeds, manually build a token for the user they are trying 
> to su to.  For standard logon requests, just pass them on to the original 
> package.
> 
> The difficulty with this is that the win2k ddk does not have any 
> documentation on authentication packages that I can find, and the NT4 DDK 
> documentation is sketchy at best.

Did you have a look into the Cygwin sources? There are two functions
(plus various helper functions) in security.cc.

create_token() creates a token manually using the undocumented
NtCreateToken() function. Unfortunately this needs the CREATE_TOKEN
privilege which is only granted to LocalSystem by default and which
actually is a very dangerous privilege.

subauth() is the client code to call a Subauthentication DLL which
is part of the Cygwin source tree but had never made it into the
official release due to it's complex installation procedure and
the fact that it only works with W2K, not with NT4. Calling the
LSA client functions of course need the TCB privilege again...

However, that's all I could tweak out of the Microsoft API so far.
I would love to have a real authentication DLL in Cygwin but that
needs further knowledge of the LSA interface which I can't get from
the MSDN. As you aforementioned, the LSA documentation is really
crap^H^H^H^Hsketchy.

AFAICS, we will never get the full functionality w/o a server
process running under LocalSystem.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/