Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Sensitivity: Subject: Re: About the 'su' command To: "Karsten M. Self" cc: cygwin AT cygwin DOT com From: Brian DOT Kelly AT empireblue DOT com Date: Mon, 30 Jun 2003 08:23:02 -0400 Message-ID: MIME-Version: 1.0 X-WSS-ID: 131EF399295934-01-05 Content-Type: multipart/mixed; boundary="0__=0ABBE7C6DFD0DF4D8f9e8a93df938690918c0ABBE7C6DFD0DF4D" Content-Disposition: inline Note-from-DJ: This may be spam --0__=0ABBE7C6DFD0DF4D8f9e8a93df938690918c0ABBE7C6DFD0DF4D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit >> Why rewrite 'su' to do those types of tricks, when 'ssh' already exists? Uhhh - how about "script portability??" (Which is why I predict su will "someday" be made to do this. When?? Simple, When somebody does it .... ) [ I ain't demand'in nothin from nobody ] Brian Kelly "Karsten M. Self" @cygwin.com on 06/29/2003 07:34:57 PM Sent by: cygwin-owner AT cygwin DOT com To: cygwin AT cygwin DOT com cc: (bcc: Brian Kelly/WTC1/Empire) Subject: Re: About the 'su' command Is this, or could this be made, part of the standard Cygwin docs and/or FAQ? Very nice explanation, Bill. Peace. on Wed, Jun 18, 2003 at 08:51:24AM -0400, Bill C. Riemers (cygwin AT docbill DOT net) wrote: > > > The second says the command wont work unless I have appropriate > > privileges. > > Do you know "someone" on an XP station that has more powers than the > > Administrator or an Administrators member ? > > On most Unix systems, if you create a user with UID 65535 you will find that > user is unable to run 'suid' commands including 'su'. This is result of > 65535 mapping to -1 as a short, and -1 having special meaning. For awhile > there was a trend to make the "nobody" user 65535. But then with the dawn > of the web, programmers started wanting to make SUID cgi-bin scripts, while > still using "nobody" as the default user for web connections. As such, the > practice using 65535 for "nobody" has for the most part been abandoned in > the Unix world. > > However, someone at Microsoft must have thought this was an extremely good > idea. And why just have one account which is not allowed to SUID? So > instead, Microsoft wrote XP so any account != UID 18 is prohibited from > SUID. (OK. I over simplified, you can actually grant other accounts > privilege to SUID on XP professional...) > > At first thought, the idea of restricting SUID to SYSTEM seems to give XP > much stronger security than most unix systems. Until, you stop and > consider, if only SYSTEM can SUID, and I can't login as SYSTEM, how does > anything ever get installed to run under SYSTEM? It turns out SYSTEM is the > account used for running services. Anyone with Administrators privilege can > add a new service. Consequently, all Administrators can run any program > they like as SYSTEM, including of course 'su'. > > So, you ask, if it is so easy for Administrator to run a process as SYSTEM, > why doesn't 'su' use this trick? Quite simple. You can not change an > existing process to SYSTEM privileges, nor can you do a direct exec() so you > can pass your open file descriptors and environment to the new process. > Consequently, you would find that if su used this "trick" your process would > be running under a new TTY without access to existing file descriptors. So > a command like, 'su root -c "bar.sh" < /tmp/foo' would not work as expected. > > Now you ask, "Well then, why can ssh do pipes." Very simple, 'ssh' sticks > around after starting the child process starts passing data from open file > descriptors though sockets. > > Finally you ask, "If ssh can do that, why doesn't su?" Simple. Why rewrite > 'su' to do those types of tricks, when 'ssh' already exists? > > Bill > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ -- Karsten M. Self http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Spread the real scoop on Xenu and The Church of Scientology, link Scientology on your website. "WellChoice, Inc." made the following annotations on 06/30/2003 08:24:55 AM ------------------------------------------------------------------------------ Attention! This electronic message contains information that may be legally confidential and/or privileged. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Release/Disclosure Statement --0__=0ABBE7C6DFD0DF4D8f9e8a93df938690918c0ABBE7C6DFD0DF4D Content-Type: application/octet-stream; name=C.DTF Content-Disposition: attachment; filename=C.DTF Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjIuMiAoR05V L0xpbnV4KQ0KDQppRDhEQlFFKy8zZWhlZkc4NDQzazA0NFJBb2U2QUowVGpWa2NHZXIreW9BNWdq N3RiM3RJa0VyNkVBQ2NEbEt3DQoxeUFhQkQ3eFpaNVRIbUdrcHB2REpkND0NCj1Mcm4xDQotLS0t LUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg0K --0__=0ABBE7C6DFD0DF4D8f9e8a93df938690918c0ABBE7C6DFD0DF4D Content-Type: text/plain; charset=us-ascii -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ --0__=0ABBE7C6DFD0DF4D8f9e8a93df938690918c0ABBE7C6DFD0DF4D--