Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Sat, 6 Oct 2001 00:24:03 -0400
From: Christopher Faylor <cgf AT redhat DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: rshd chdirs before it sets uid and gid???
Message-ID: <20011006002403.A477@redhat.com>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <3BBE0260 DOT D1C3D596 AT cportcorp DOT com> <3BBE0CBD DOT C4D760EB AT rowman DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3BBE0CBD.C4D760EB@rowman.com>
User-Agent: Mutt/1.3.21i

On Fri, Oct 05, 2001 at 03:40:45PM -0400, John Peacock wrote:
>Peter Buckley wrote:
>> 
>> I was looking at the source (rshd.c) and it
>> seems backwards in the way it goes about doing
>> things. It is trying to chdir to the remote
>> user's home directory before it switches user
>> context. That doesn't make sense- I thought
>> the point of rsh was that *you* were supposed
>> to be *you* and not system or root or anyone
>> else.
>
>Remember that rshd was written for the *nix world and only _ported_ 
>to CygWin.  Remember also that CygWin has only relatively recently
>adopted NT security (and it still has to run under W98).
>
>> 
>> This is how I understand what it is doing,
>> please correct me if I am wrong.
>> 
>> First, it checks if it is able to chdir to
>> the home directory of the remote user-
>> 
>> if (chdir(pwd->pw_dir) < 0) {
>> (void) chdir("/");
>> #ifdef __CYGWIN__
>> syslog(LOG_INFO|LOG_AUTH,
>>     "%s@%s as %s: no home directory. cmd='%.80s'",
>>     remuser, hostname, locuser, cmdbuf);
>> error("No remote directory.\n");
>> exit(1);
>> #endif
>> }
>> 
>> Then if CYGWIN is defined, it just exits?????
>> Telnet does NOT do this, it just chdirs to "/"
>> and allows you to continue.
>
>That is why telnet is not considered to be a secure program (and other
>reasons).  Consider if somehow someone managed to log in as an account 
>that does not have a home directory on purpose (like most service 
>accounts); Since CygWin's security until very recently has been 
>Microsoft's (which is to say none at all), someone could wreak havoc 
>on a machine, just given that they can log in.
>
>This is a security feature, not a bug, IMHO, and should not be 
>changed.  Only after the cd should the setgid/uid be performed (which 
>had no real meaning/effect until 'ntsec' was perfected and still has
>no meaning under non-NTFS disks).
>
>> 
>> I am running into this problem because SYSTEM
>> doesn't have rights to my home directory.
>> 
>> It seems that the following bit of code should
>> come BEFORE the chdir stuff, so SYSTEM doesn't need
>> to have rights to EVERY user's home directory.
>
>System is an NT artifact; it is supposed to be used for services that
>require very little external rights (like to the filesystem) and to
>have special internal rights (like act as part of the O/S).  rshd is
>still based in the *nix world where services are run as root until 
>they drop to user levels (for things like rshd and sshd).
>
>Run rshd as an admin equivalent and everything will work fine.  Better
>yet, run sshd and delete rshd entirely.

Maybe I'm missing something but I think the original point is well taken.
It seems more secure to me to do the change of user context first and then
the cd.  I can't see what that hurts.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/