Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 30 Jun 2003 00:34:57 +0100
From: "Karsten M. Self" <kmself AT ix DOT netcom DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: About the 'su' command
Message-ID: <20030629233457.GY22695@ganymede>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20030617232103 DOT 79106 DOT qmail AT web10102 DOT mail DOT yahoo DOT com> <01d501c33598$5b90c020$0200000a AT FoxtrotTech0001>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="7PAM/4G1BR2SfWzg"
Content-Disposition: inline
In-Reply-To: <01d501c33598$5b90c020$0200000a@FoxtrotTech0001>
X-Debian-GNU-Linux: Rocks
X-Kuro5hin-cabal: There is no K5 cabal
X-GPG-Fingerprint: 5CAA 226D 2CCC 0A2A A502  D09E 79F1 BCE3 8DE4 D38E
X-uptime: 06:57:09 up 10 days, 17:55,  8 users,  load average: 0.08, 0.16, 0.17
User-Agent: Mutt/1.5.4i

--7PAM/4G1BR2SfWzg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Is this, or could this be made, part of the standard Cygwin docs and/or
FAQ? =20

Very nice explanation, Bill.

Peace.

on Wed, Jun 18, 2003 at 08:51:24AM -0400, Bill C. Riemers (cygwin AT docbill DOT n=
et) wrote:
>=20
> > The second says the command wont work unless I have appropriate
> > privileges.
> > Do you know "someone" on an XP station that has more powers than the
> > Administrator or an Administrators member ?
>=20
> On most Unix systems, if you create a user with UID 65535 you will find t=
hat
> user is unable to run 'suid' commands including 'su'.  This is result of
> 65535 mapping to -1 as a short, and -1 having special meaning.  For awhile
> there was a trend to make the "nobody" user 65535.  But then with the dawn
> of the web, programmers started wanting to make SUID cgi-bin scripts, whi=
le
> still using "nobody" as the default user for web connections.  As such, t=
he
> practice using 65535 for "nobody" has for the most part been abandoned in
> the Unix world.
>=20
> However, someone at Microsoft must have thought this was an extremely good
> idea.  And why just have one account which is not allowed to SUID?  So
> instead, Microsoft wrote XP so any account !=3D UID 18 is prohibited from
> SUID.  (OK.  I over simplified, you can actually grant other accounts
> privilege to SUID on XP professional...)
>=20
> At first thought, the idea of restricting SUID to SYSTEM seems to give XP
> much stronger security than most unix systems.  Until, you stop and
> consider, if only SYSTEM can SUID, and I can't login as SYSTEM, how does
> anything ever get installed to run under SYSTEM?  It turns out SYSTEM is =
the
> account used for running services.  Anyone with Administrators privilege =
can
> add a new service.  Consequently, all Administrators can run any program
> they like as SYSTEM, including of course 'su'.
>=20
> So, you ask, if it is so easy for Administrator to run a process as SYSTE=
M,
> why doesn't 'su' use this trick?  Quite simple.  You can not change an
> existing process to SYSTEM privileges, nor can you do a direct exec() so =
you
> can pass your open file descriptors and environment to the new process.
> Consequently, you would find that if su used this "trick" your process wo=
uld
> be running under a new TTY without access to existing file descriptors.  =
So
> a command like, 'su root -c "bar.sh" < /tmp/foo' would not work as expect=
ed.
>=20
> Now you ask, "Well then, why can ssh do pipes."  Very simple, 'ssh' sticks
> around after starting the child process starts passing data from open file
> descriptors though sockets.
>=20
> Finally you ask, "If ssh can do that, why doesn't su?"  Simple.  Why rewr=
ite
> 'su' to do those types of tricks, when 'ssh' already exists?
>=20
>                                              Bill


> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

--=20
Karsten M. Self <kmself AT ix DOT netcom DOT com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Spread the real scoop on Xenu and The Church of Scientology, link
       <a href=3D"http://xenu.org/";>Scientology</a> on your website.

--7PAM/4G1BR2SfWzg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+/3ehefG8443k044RAoe6AJ0TjVkcGer+yoA5gj7tb3tIkEr6EACcDlKw
1yAaBD7xZZ5THmGkppvDJd4=
=Lrn1
-----END PGP SIGNATURE-----

--7PAM/4G1BR2SfWzg--