Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Message-ID: <3BCE0BED.7000702@nothing-on.tv> Date: Wed, 17 Oct 2001 23:53:33 +0100 From: Tony Hoyle User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011001 X-Accept-Language: en MIME-Version: 1.0 To: Terris Cc: ssh-l AT erdelynet DOT com, cygwin AT cygwin DOT com Subject: Re: [ssh-l] Running commands under the SYSTEM account ? References: <010601c15746$16aeb480$7e64a8c0 AT int DOT netacumen DOT com> <3BCDE821 DOT 1C046627 AT cportcorp DOT com> <000001c1574b$d21b9030$7e64a8c0 AT int DOT netacumen DOT com> <3BCDF32C DOT 73DA4578 AT cportcorp DOT com> <01b701c1575b$37d8a570$7e64a8c0 AT int DOT netacumen DOT com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Terris wrote: > I don't understand why creating a token > as SYSTEM doesn't work. I read the email > you pointed me to and I still don't get it. > If sshd uses NtCreateToken, it should work. > > The CVS server CVSNT calls NtCreateToken > as the SYSTEM user. The CVSNT service > runs under the local SYSTEM account. It works. > Yes this should work. cvsnt uses NtCreateToken, followed by ImpersonateUser(). This works as far as it goes. However impersonation does not work over network shares (this is part of NT security - Win2k has a way around it but it isn't well documented) so the account isn't precisely the same as the original. You have to be careful that when you create the token you duplicate the correct access token as exactly as possible (so you don't give joe-random-user Administrator access). The code in cvsnt does this, and I believe cygwin does the same or similar. Creating a shell from this impersonated account should work exactly the same as if LogonUser had been used. cvsnt creates processes as part of its commit procedure, and it's important that these run as the user, for security reasons (Whilst working on the code for cvsnt I tested by creating a token, then using LogonUser and comparing them. They are identical tokens in all cases I checked). Tony -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/