Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: denzel.sciencetools.com: rtroy owned process doing -bs Date: Tue, 23 Mar 2004 08:22:27 -0800 (PST) From: Richard Troy To: Subject: sshd as a substitute for the suid bit on executables... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-IsSubscribed: yes > From: Corinna Vinschen > Subject: Re: suid bit on executables? > > > On Mar 23 07:04, Richard Troy wrote: > > I know > > there's the SSHD code that could serve as an example, but it seems to > > me that it's overkill for what I want [...] > > Nope. There's nothing simpler than utilizing an existing and working > piece of code instead of creating another application with it's entirely > new, own set of bugs. IMO, using sshd is the way to go. > > Corinna So, Corinna, you see it as simple... Before I start punching a tar-baby and get all stuck in things, few more keystrokes might be helpful... One additional challenge that has just occurred to me in my particular scenario is that in ordinary useage on Unix, my program that runs under the suid bit eventually launches a Java program that creates display windows and attaches to the keyboard/mouse in the usual way and the user never knows it's running as the file owner and not them. Before I go create a great solution that doesn't solve my real problem, I realize that I am unfamilliar with the security demands, if any, Windows imposes in such circumstances; please advise with your thoughts on this subject in the scenario under discussion here if you can. Next, I can see how an account that has a particular privilege that provides all of the necessary access can have its shell re-directed to be a particular program other than a usual shell (just update /etc/passwd, right?) and can have a null passphraise providing a key-access (passwordless access) to the desired account by other users, captured so that they can't run anything else in the account. This is then followed up with an alias that looks like the usual command but that instead performs something like: alias foo="ssh @ " # cmd line args trail and get passed along in the usual way Such a solution would require _no_ additional coding, but a bit of configuration instead - a perfectly workable solution if, in fact, the resulting executing program can indeed open windows in the normal way on the console display. (Non-Cygwin Q: Can, in fact, the shell be replaced with an ordinary program and have the args passed like this? Or is there another blessed method for "capturing" an account so it only runs one program?) Corinna, is this what you had in mind? (Anyone else with a good idea?) As always, thank you very, very much - this is a big deal to me. Richard -- Richard Troy, Chief Scientist Science Tools Corporation rtroy AT ScienceTools DOT com, 510-567-9957, http://ScienceTools.com/ ---------- Forwarded message ---------- Date: Tue, 23 Mar 2004 16:04:08 +0100 From: Corinna Vinschen Reply-To: cygwin AT cygwin DOT com To: cygwin AT cygwin DOT com Subject: Re: suid bit on executables? On Mar 23 07:04, Richard Troy wrote: > I know > there's the SSHD code that could serve as an example, but it seems to me > that it's overkill for what I want [...] Nope. There's nothing simpler than utilizing an existing and working piece of code instead of creating another application with it's entirely new, own set of bugs. IMO, using sshd is the way to go. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/