X-Spam-Check-By: sourceware.org
Message-ID: <455BCA5A.2D062C1@dessent.net>
Date: Wed, 15 Nov 2006 18:18:02 -0800
From: Brian Dessent <brian AT dessent DOT net>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Windows environment variables in ssh sessions with privilege 	  seperation
References: <1163631780 DOT 4704 DOT 66 DOT camel AT Ruksana DOT schrodinger DOT com> 	 <31b7d2790611151525q7c69b099uaa790633a6539ca9 AT mail DOT gmail DOT com> <1163640602 DOT 4704 DOT 97 DOT camel AT Ruksana DOT schrodinger DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Sean Morgan wrote:

> Adding the environment variables to HKEY_LOCAL_MACHINE\SYSTEM
> \CurrentControlSet\Services\sshd\Parameters\Environment does not seem to
> have an effect outside of the CYGWIN variable which does in fact change
> after editing the registry. This provided me with some verification that
> I had in fact been carrying out my experimentation on the appropriate
> key.

This has nothing to do with privilege separation.  It is by design. 
Please see: <http://www.cygwin.com/ml/cygwin/2006-10/msg00729.html>

You can see the list of environment variables that are whitelisted in
openbsd-compat/bsd-cygwin_util.c:

static struct wenv {
        const char *name;
        size_t namelen;
} wenv_arr[] = {
        { NL("ALLUSERSPROFILE=") },
        { NL("COMMONPROGRAMFILES=") },
        { NL("COMPUTERNAME=") },
        { NL("COMSPEC=") },
        { NL("CYGWIN=") },
        { NL("NUMBER_OF_PROCESSORS=") },
        { NL("OS=") },
        { NL("PATH=") },
        { NL("PATHEXT=") },
        { NL("PROCESSOR_ARCHITECTURE=") },
        { NL("PROCESSOR_IDENTIFIER=") },
        { NL("PROCESSOR_LEVEL=") },
        { NL("PROCESSOR_REVISION=") },
        { NL("PROGRAMFILES=") },
        { NL("SYSTEMDRIVE=") },
        { NL("SYSTEMROOT=") },
        { NL("TMP=") },
        { NL("TEMP=") },
        { NL("WINDIR=") }
};

Those are the only environment variables that will be propagated into
the newly created session.  The proper way to handle this is to set them
in an /etc/profile-type file, as you would on a unix/linux system.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/