X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-2.2 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: Andrew Schulman Subject: Re: admin privileges when logging in by ssh? Date: Tue, 04 Oct 2011 11:59:18 -0400 Lines: 49 Message-ID: <0s9m87drlejguq5s9u6njre69spr5sd8o6@4ax.com> References: <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archive: encrypt X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com > On Sep 12 10:24, Andrew Schulman wrote: > > > When a user with administrative privileges logs in to sshd, it seems that the user is only granted > > > standard user privileges for that session. Is there a way around that? How can I get the admin > > > privileges for that session? > > > > Winding this up: > > > > Password authentication to sshd is all that's needed to be granted the account's admin privileges on > > login. I was mistaken about UAC: unlike at the console, when you log in by ssh, the account's > > admin privileges are granted at login, without needing any further authentication to UAC. > > I'm quite puzzeled since password authentication should not be needed. > This should work with pubkey as well. Please see > http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview for > a discussion how setuid works in Cygwin. > > In all cases, password auth and passwordless auth, you should get a full > admin token. In case of password auth and in the passwordless methods > 2 and 3, the OS returns a restricted token under UAC, but that token > has a reference to the full admin token attached. Cygwin fetches this > token and uses that when switching the user context. In the default > passwordless method 1, Cygwin creates a token from scratch, which also > has full admin rights. However, this token has a couple of problems as > described in http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 > Probably that's what you stumble over. Thanks for writing up that documentation of user context switching (I assume it was you who wrote it). It's complex. So IIUC, sshd by default uses method 1, creating a token from scratch. So when a user logs in with pubkey authentication, they won't have a logon session, which means their SID name may be misidentified by native Windows apps; and they won't have access to password-protected network shares. But they should still have all of the privileges normally granted to their account. I'm not able to test it right now, but what I observed before was that when a user with the SeBackupPrivilege and SeBackupPrivilege privileges logged in by password authentication, it could use those privileges (with rsync); but when it logged in by pubkey authentication, it couldn't. So I agree that this is puzzling since it doesn't seem to square with the description above. This is on Windows 7 Home Premium. I'll test this again when I can, to be sure what I observed is correct. If you can suggest any diagnostic tools to help identify the available privileges, that would be helpful. I'll also look into implementing methods 2 or 3, so I can do away with the password authentication. Andrew. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple