Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: denzel.in: rtroy owned process doing -bs
Date: Mon, 13 Jan 2003 18:20:12 -0800 (PST)
From: Richard Troy <rtroy AT sciencetools DOT com>
X-X-Sender:  <rtroy AT denzel DOT in>
To: <cygwin AT cygwin DOT com>
Subject: current state of credential hopping?
Message-ID: <Pine.LNX.4.33.0301131746310.32485-100000@denzel.in>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


Hi All,

One of the long-time known problems (limitations) with cygwin has been the
lack of the ability to switch user identities, such as is done with the
suid bit, and su utility. I know that as of last April, there was some
talk of using the cygserver as a partial answer (with shared memory as a
possible attack/leak point). I'm wondering about what's happened or is
happening on this point and I've got a few practical questions and
observations that relate.

The primary question is simple, but does not appear to be reflected in the
archive: Is anybody working on cygserver to get this technology
implemented?

I also observe that the sshd seems to be doing something a bit like this -
how is it doing so? If we have an sshd doing something like this, why not
have an su program? In fact, I have been taking advantage of the client
side of ssh to ask a program be run for you on the "remote" system. Yeah,
performance sucks, but then, at least it works! It does make for a crude
'su' program!

A somewhat related observation is that when I use ssh to create a session
on the system, it seems to work just fine HOWEVER, it does not have good
access to disk shares. How might I go about providing my ssh clients who
are a different user than is logged in into windows (or when noone is
logged in!) access to disk shares? These other users, if logged into
windows directly, have privileges for their own disk share access. The
question then is, how can I mount volumes just for them? Do they need
their own drive letters, or will they be private? ...I've read up on
mount, but don't think this solves the problem: Simply accessing mounts
which another user has the credentials for isn't quite right. The
credentials should be based upon the rights of the user who's using
them... That is to say, how/where do I tell it what username and password
to use for the shares accessed? Or, will windows apply the correct
credentials on my behalf? (I guess I could figure that out on my own with
a lot of testing, but it'd be nice to get a straight answer if someone
knows, please.)

Thanks, and happy CYGWINning!

Richard

-- 
Richard Troy, Chief Scientist
Science Tools Corporation
rtroy AT ScienceTools DOT com, 510-567-9957, http://ScienceTools.com/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/