X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 14 Oct 2011 21:14:51 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: admin privileges when logging in by ssh?
Message-ID: <20111014191451.GD22040@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <rg0q679hpajl00ujv34jtmavsanhpb6n2t AT 4ax DOT com> <fb5s67hrbvq8lej86nqjhfp0et01fc6lsf AT 4ax DOT com> <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> <0s9m87drlejguq5s9u6njre69spr5sd8o6 AT 4ax DOT com> <20111004175341 DOT GA14345 AT calimero DOT vinschen DOT de> <kegg975khakim6gdffidaauof66b9ie828 AT 4ax DOT com> <20111014182330 DOT GC22040 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20111014182330.GC22040@calimero.vinschen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Oct 14 20:23, Corinna Vinschen wrote:
> On Oct 14 11:18, Andrew Schulman wrote:
> > So the difference AFAICT is the membership in the Administrators group.
> > Notice also in the two listings below, that by password authentication,
> > backup gets
> > 
> > Mandatory Label\High Mandatory Level
> > 
> > while by pubkey, he gets
> > 
> > Mandatory Label\Medium Mandatory Level
> > 
> > whatever those are.
> 
> That's an UAC thingy.  Keep in mind that Cygwin has to create the user
> token from scratch here, given that you are using passwored-less setuid
> method 1
> (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). 
> I'm not aware of a method to fetch the mandatory level SID a user is
> supposed to get, so what Cygwin does is simply to base the mandatory
> level SID on the membership in the admins group.
> 
> As for the missing privileges, they are not missing in the user token,
> they are just disabled:
> [...]
> But even then, if the backup/restore privileges are disabled, it shouldn't
> matter in Cygwin.  Cygwin enables both privileges right at process startup.
> 
> Having said that, I have no idea why the privileges are disabled in your
> token.  The good news is that I can reproduce the behaviour on a Windows
> 2008 R2 box with a normal domain user account, which got explicit backup
> and restore rights.
> 
> I don't know why this occurs when using password-less setui method 1,
> this is something which I have to debug yet.

I just debugged this and now I know why this happens.   The problem
is the aforementioned Mandatory Label.  A user token which has medium
mandatory level can not enable these privileges, even if they are in
the user token.  If I create the token with high mandatory level,
it's no problem to enable the backup/restore permissions at process
startup.

However, I don't think it's a good idea to set the high mandatory level
on a token unconditionally.  This should only be done if the token
contains certain privileges.  The problem now is to find out which
permissions are affected by this.  I don't see any list of privileges
on MSDN in terms of UAC restriction.  Oh well, no pain, no gain.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple