Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Date: Thu, 18 Oct 2001 10:53:58 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: [ssh-l] Running commands under the SYSTEM account ? Message-ID: <20011018105358.P1696@cygbert.vinschen.de> Mail-Followup-To: cygwin AT cygwin DOT com References: <010601c15746$16aeb480$7e64a8c0 AT int DOT netacumen DOT com> <3BCDE821 DOT 1C046627 AT cportcorp DOT com> <000001c1574b$d21b9030$7e64a8c0 AT int DOT netacumen DOT com> <3BCDF32C DOT 73DA4578 AT cportcorp DOT com> <01b701c1575b$37d8a570$7e64a8c0 AT int DOT netacumen DOT com> <3BCE0BED DOT 7000702 AT nothing-on DOT tv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BCE0BED.7000702@nothing-on.tv>; from tmh@nothing-on.tv on Wed, Oct 17, 2001 at 11:53:33PM +0100 On Wed, Oct 17, 2001 at 11:53:33PM +0100, Tony Hoyle wrote: > Creating a shell from this impersonated account should work exactly the > same as if LogonUser had been used. No, there is a significant difference. Using NtCreateToken() the process doesn't create a so-called "Logon Session". A logon session has a unique logon identifier (a LUID) which gets created by the LSA authentication module running while logon authentication takes place. Since NtCreateToken() doesn't call any LSA auth module, no logon session ID gets created. To have a valid logon session ID nonetheless, the call to NtCreateToken() has to use one of two "well-known" logon session ID's, SYSTEM_LUID or ANONYMOUS_LOGON_LUID. The next problem is that a authentication token contains invisible information (from the GetTokenInformation() point of view). When a user logs on using the `official' way (LogonUser is one of them), that user has given credentials (password). These credentials are saved in the created logon session to authenticate the user against servers on the net and such stuff. Again, we have the problem that no unique logon session has been created, so no credentials are stored anywhere. If you try to `net use' a share the appropriate error message is generated: "A specified logon session does not exist." So everything is bound to creating a logon session. To make that really clear: ************************************************************************** * * * I don't know any way to create a logon session outside of a lsa * * authentication module. Even if I know the call which has to be used * * from inside a LSA authentication module to create a logon session, * * I don't know how to write a lsa authentication module. If anybody can * * help out here we could probably create a technique to change user * * context in Cygwin _with_ remote share access. * * * ************************************************************************** And: ************************************************************************** * * * Unless we don't have a method which creates a logon session without * * the need to give a password, access to shares is restricted to either * * public shares or to logon methods using a password (ssh w/ password, * * telnet. * * * ************************************************************************** Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/