Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3BCE0BED.7000702@nothing-on.tv>
Date: Wed, 17 Oct 2001 23:53:33 +0100
From: Tony Hoyle <tmh AT nothing-on DOT tv>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011001
X-Accept-Language: en
MIME-Version: 1.0
To: Terris <terris AT terris DOT com>
Cc: ssh-l AT erdelynet DOT com, cygwin AT cygwin DOT com
Subject: Re: [ssh-l] Running commands under the SYSTEM account ?
References: <010601c15746$16aeb480$7e64a8c0 AT int DOT netacumen DOT com> <3BCDE821 DOT 1C046627 AT cportcorp DOT com> <000001c1574b$d21b9030$7e64a8c0 AT int DOT netacumen DOT com> <3BCDF32C DOT 73DA4578 AT cportcorp DOT com> <01b701c1575b$37d8a570$7e64a8c0 AT int DOT netacumen DOT com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by AMaViS perl-11

Terris wrote:

> I don't understand why creating a token
> as SYSTEM doesn't work.  I read the email
> you pointed me to and I still don't get it.
> If sshd uses NtCreateToken, it should work.
> 
> The CVS server CVSNT calls NtCreateToken 
> as the SYSTEM user.  The CVSNT service
> runs under the local SYSTEM account.  It works.  
> 


Yes this should work.  cvsnt uses NtCreateToken, followed
by ImpersonateUser().  This works as far as it goes.  However 
impersonation does not work over network shares (this is part of NT 
security - Win2k has a way around it but it isn't well documented) so 
the account isn't precisely the same as the original.

You have to be careful that when you create the token you duplicate the 
correct access token as exactly as possible (so you don't give 
joe-random-user Administrator access).  The code in cvsnt does this, and 
I believe cygwin does the same or similar.

Creating a shell from this impersonated account should work exactly the 
same as if LogonUser had been used.  cvsnt creates processes as part of 
its commit procedure, and it's important that these run as the user, for 
security reasons (Whilst working on the code for cvsnt I tested by 
creating a token, then using LogonUser and comparing them.  They are 
identical tokens in all cases I checked).

Tony


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/