Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Mon, 29 Oct 2001 14:20:52 +0100
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication  problems)
Message-ID: <20011029142052.H891@cygbert.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20011026200024 DOT A7622 AT cygbert DOT vinschen DOT de> <20011029074844 DOT A1948 AT dothill DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011029074844.A1948@dothill.com>; from jason@tishler.net on Mon, Oct 29, 2001 at 07:48:44AM -0500

On Mon, Oct 29, 2001 at 07:48:44AM -0500, Jason Tishler wrote:
> Corrina,

s/rrin/rinn

> Nevertheless, I now better understand why chown was not working under
> ssh via key exchange:
> 
> $ ssh tishlmob2d1m701 id
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> Note that Windows does not think that I am in the local Administrators
> group.  Hence, I'm not able to chown, net start/stop, etc.
> 
> But, if I ssh via password exchange:
> 
> $ ssh -1 tishlmob2d1m701 id
> jtishler AT tishlmob2d1m701's password: 
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> then Windows does.  Why?  Unfortunately, I don't (currently) know.

Hmm, Dunno.  That's sort of a leak in the create_token() code in
security.cc but I don't see how that can happen.  When performing
a password login, the user token is created by Windows itself while
in case of pubkey authentication I have to create the new token by
myself.

Jason, you are working on Cygwin code so you could take a look into it.

Let's begin in create_token() itself, line 761 calls get_group_sidlist()
which creates a list of SIDs of all groups the user is a member of.
In get_group_sidlist(), line 518 I'm calling get_user_groups() to
retrieve the list of global (domain) groups, followed by a call to
get_user_local_groups(), line 519, which retrieves the list of local
groups the user is member of.  To do that, the function NetUserGetGroups()
is used for getting the list of global groups.

To get all local groups, first NetLocalGroupEnum() is called and then
(in function is_group_member()) for all local group I'm calling
NetLocalGroupGetMembers() to check if either the user is a direct
member of that local group or one of his global groups is member of
that local group.  This way, all groups of the user should have been
retrieved.

Do you (or does anybody) see an error here?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/