X-Spam-Check-By: sourceware.org
Message-ID: <44BA7394.5000209@cygwin.com>
Date: Sun, 16 Jul 2006 13:12:52 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20060112 Fedora/1.5-1.fc4.remi Thunderbird/1.5 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: inetd help
References: <03D3B32F0D0D024791C1EE97D087E90907779E66 AT EXCH01 DOT purdue DOT lcl> <20060714140557 DOT GJ8759 AT calimero DOT vinschen DOT de> <loom DOT 20060716T183153-524 AT post DOT gmane DOT org> <e9drnv$fup$1 AT sea DOT gmane DOT org>
In-Reply-To: <e9drnv$fup$1@sea.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Andrew DeFaria wrote:
> Robert McGraw wrote:
>> Thanks Corinna and the gmane.os.cygwin group. I got my service running 
>> from the above help.
>>
>> I am not a window type guy and so have a few question on what I did:
>>
>> What make sshd_server account so special? I looked through the 
>> ssh-host-script where it creates the sshd_server. Is it the SID 
>> S-1-5-32-544, which I know nothing about. Or could any user in the 
>> administrator group do the same.
>>
>> If I wanted to create my own -u user, rather then the sshd_server 
>> user, what special settings would be required or is that I have a 
>> password set for this user which inetd uses?
>>   
> I think it's the following section:
> 
>            editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
>            editrights -a SeCreateTokenPrivilege -u sshd_server &&
>            editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
>            editrights -a SeDenyNetworkLogonRight -u sshd_server &&
>            editrights -a SeDenyRemoteInteractiveLogonRight -u 
> sshd_server &&
>            editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
>            editrights -a SeServiceLogonRight -u sshd_server &&
>            sshd_server_got_all_rights="yes"
> 
> which bestows the necessary rights to the sshd_server user.
> 


Actually it's just the calls to "editrights" that are necessary.
'SeCreateTokenPrivilege' is the right taken away from SYSTEM in W2K3, thus
necessitating the need for this new sshd_server to be created.  The only
caution I would offer in all of this is that the OP not create multiple users
with this set of permissions, since it opens potential security holes.

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/