Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 15 Jul 2002 22:59:33 -0700
From: David MacMahon <davidm AT smartsc DOT com>
To: cygwin AT cygwin DOT com
Subject: Fwd: Re: cron and NT domains
Message-ID: <20020715225933.E1691@SmartSC.com>
Mail-Followup-To: cygwin AT cygwin DOT com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.22.1i
Note-from-DJ: This may be spam

On Mon, Jul 15, 2002 at 11:16:51AM +0200, Corinna Vinschen wrote:
> On Sun, Jul 14, 2002 at 08:07:17PM -0700, David MacMahon wrote:
> > I have created my /etc/passwd and /etc/group files by hand and they work
> > fine for ntsec and telnet and ftp.  It is only cron that has a problem
> > and only cron that attempts to switch user context to my domain account
> > WITHOUT a password.  This is what led me to believe that this is
> > actually intentional behavior.  It seems to me that without this
> > behavior, one could easily impersonate another domain user simply by
> > concocting the proper /etc/passwd entry and creating a crontab job for
> > that user.
> 
> It's the same situation as on U*X.  If /var/cron/cron.allow and/or
> /var/cron/cron.deny aren't maintained...

It's not quite the same situation.  On UNIX, anyone who can su can
create a crontab for any user, but only on that particular host.  This
is not such a big deal because they (hopefully) have been permitted to
su anyway.  On Windows, anyone who belongs to the local administrators
group can create a crontab for any user on that host *or* for any user
in any domain accessible from that host.  For example, this allows
anyone in the local administrators group of any PC on the network to
create a crontab for the domain adminstrator.  If, as you claim, Windows
can switch user context to a domain user without requiring a password,
this would allow anyone in the local administrators group of any PC on
the network to impersonate any domain user (including domain
administrator) without knowing the required password.  This seems like a
huge security hole to me.  Since the SIDs of domain administrators are
easy to find, anyone with a laptop could easily impersonate the domain
administrator.  If I were a network admin I would be very scared.
Fortunately, at least on the network I'm on, Windows can't switch user
context to a domain user without a password.

> If you'd use sshd, it would change user context w/o password, too.

I setup sshd and found that it also exhibits this same behavior of not
being able to switch user context to a domain user without a password.
See below.

> However, I have no idea why cron doesn't work for you.  I don't know
> enough of your environment.

I had attached the output of "cygcheck -srv", but the mail server
rejected my message for some vague reason ("something in the body of
your message was flagged as indicative of spam").  If there's some way
to send that to the list without looking like spam, let me know and
I'll send it along.

> > One other slightly odd thing is that my RID (i.e. the last number of my
> > SID) is greater than 65535.  So in the uid field of /etc/passwd, I have
> 
> That's not odd.  uids and gids are 16 bit values so far.

I didn't see that mentioned in the docs so it seemed odd to me.  Maybe I
missed it.

> > to put (RID modulo 65536) otherwise things don't work right.  For
> 
> You can choose any free uid < 65536.  It's your choice as described
> in http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-RELEASE1.1

You're right.  I had chosen (RID modulo 65536) because that's what 'id'
showed when I didn't have a passwd entry.  So when I made my passwd entry,
I used that value and it worked, but I hadn't tried others.

Here's what happens when I successfully ssh from "remote_host" to
"development-1" (my PC) as dm2328-l (a local user on my PC)...

remote_host $ ssh -l dm2328-l development-1
Last login: Mon Jul 15 16:47:40 2002 from remote_host
Fanfare!!!
You are successfully logged in to this server!!!

dm2328-l AT DEVELOPMENT-1 ~
$ 

This creates one "Information" event in Event Viewer that says "Accepted
publickey for dm2328-l from 10.10.10.41 port 32837 ssh2."

Here's what happens when I unsuccessfully ssh from "remote_host" to
"development-1" (my PC) as dm2328 (a domain user)...

remote_host $ ssh -l dm2328 development-1
Last login: Mon Jul 15 16:48:20 2002 from remote_host
Fanfare!!!
You are successfully logged in to this server!!!
Connection to development-1 closed.
remote_host $

This creates one "Information" event and one "Error" in Event Viewer.  The
Information event says "Accepted publickey for dm2328 from 10.10.10.41 port
32838 ssh2."  The Error event says "fatal: setuid 6539: Permission denied."

If I remove remote_host's public key from ~dm2328/.ssh/authorized_keys2, I
am forced to login with a password and then it works...

remote_host $ ssh -l dm2328 development-1
dm2328 AT development-1's password: <I type the password here>
Last login: Mon Jul 15 16:58:38 2002 from remote_host
Fanfare!!!
You are successfully logged in to this server!!!

dm2328 AT DEVELOPMENT-1 ~
$ 

Here is my /etc/passwd...

root:*:0:0:Administrators group,S-1-5-32-544::
Everyone:*:1:1:,S-1-1-0::
SYSTEM:*:18:18:,S-1-5-18::
admin:*:500:513:Administrator,U-DEVELOPMENT-1\Administrator,S-1-5-21-LLL-500
:/:/bin/bash
Guest:*:501:513:Guest,U-DEVELOPMENT-1\Guest,S-1-5-21-LLL-501:/home/Guest:/bi
n/bash
dm2328-l:*:1002:513:David
MacMahon,U-dm2328,S-1-5-21-LLL-1002:/home/dm2328-l:/bin/bash
dm2328:*:6539:10513:David
MacMahon,U-DOMAIN\dm2328,S-1-5-21-DDD-203147:/home/dm2328:/bin/bash

Here is my /etc/group...

root:S-1-5-32-544:0:
Everyone:S-1-1-0:1:
SYSTEM:S-1-5-18:18:
Backup Operators:S-1-5-32-551:551:
Guests:S-1-5-32-546:546:
Power Users:S-1-5-32-547:547:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
locals:S-1-5-21-LLL-513:513:
dmnusers:S-1-5-21-DDD-513:10513:

Thanks again and I hope this helps,
Dave

-- 
David MacMahon, President
Smart Software Consulting
http://www.smartsc.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/