X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.5 required=5.0 	tests=AWL,BAYES_00,SPF_PASS
X-Spam-Check-By: sourceware.org
Message-ID: <4A73DD05.9050404@gmail.com>
Date: Sat, 01 Aug 2009 07:13:25 +0100
From: Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: running MS link.exe under Cygwin sshd?
References: <COL101-W36BBE2AAC62BCE7BE9CDE4E6110 AT phx DOT gbl>
In-Reply-To: <COL101-W36BBE2AAC62BCE7BE9CDE4E6110@phx.gbl>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Jay K wrote:
> http://social.msdn.microsoft.com/forums/en-US/vcgeneral/thread/eb49be0b-2a8c-4d55-8791-17e3cb1364c1
> 
> 
> " This issue is caused because cygwin does not implement a full login
> process. It tries to impersonate, but it looks to me as if it does not make
> the necessary call to LsaLogonUser. As a result, the wrong SID is in the
> token as the primary user. According to filemon, the debug server calls into
> secur32, which suggests that it is doing interpretive access control. It
> finds the service's SID instead of the users SID in some slot in the token
> that it gets via RPC, and then everything goes downhill from there.Why VS
> feels the need to put the PDB access in a separate process under separate
> access rights is very puzzling, but there it is. "
> 
> 
> Bug in Cygwin sshd?

  No, it's because Cygwin does not implement a full login process.  It tries to
impersonate, but because it does not make the necessary call to LsaLogonUser,
the wrong SID is in the token as the primary user.  As a result, VS finds the
service's SID instead of the user's SID in some slot in the token that it gets
via RPC, and then everything goes downhill from there.

  Why VS feels the need to put the PDB access in a separate process under
separate access rights is very puzzling, but there it is.

    cheers,
      DaveK

-- 
Perhaps you need to re-read the manual:

http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple