Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-Id: <3.0.5.32.20050129102626.00af0948@verizon.net> X-Sender: phumblet AT verizon DOT net (Unverified) Date: Sat, 29 Jan 2005 10:26:26 -0500 To: cygwin AT cygwin DOT com From: "Pierre A. Humblet" Subject: User's guide update Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Here is a suggested replacement text for the "Switching User Context" section. Pierre Since Cygwin release 1.3.3, applications that are member of the Administrators group and have the "Create a token object", "Replace a process level token" and "Increase Quota" user rights can switch user context without giving a password by just calling the usual setuid, seteuid, setgid and setegid functions. On Nt and Win2000 the SYSTEM user has these privileges and can run services such as sshd. However on Windows 2003, SYSTEM is lacking the "Create a token object" right. It is then necessary to create a special user with all the necessary rights, as well as "Logon as a service", to run such services. For security reasons this user should be denied the rights to logon interactively or over the network. All this is done by configuration scripts such as ssh-host-config. An important restriction of this method is that a process started under a local account can't access network shares that require authentication. This also applies to the subprocesses that switched the user context without a password. People using network home drives are typically not able to access it when trying to login using ssh or rsh without password. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/