X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Sat, 15 Oct 2011 19:11:28 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: admin privileges when logging in by ssh? Message-ID: <20111015171128.GD6680@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> <0s9m87drlejguq5s9u6njre69spr5sd8o6 AT 4ax DOT com> <20111004175341 DOT GA14345 AT calimero DOT vinschen DOT de> <20111014182330 DOT GC22040 AT calimero DOT vinschen DOT de> <20111014191451 DOT GD22040 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20111014191451.GD22040@calimero.vinschen.de> User-Agent: Mutt/1.5.21 (2010-09-15) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Oct 14 21:14, Corinna Vinschen wrote: > On Oct 14 20:23, Corinna Vinschen wrote: > > On Oct 14 11:18, Andrew Schulman wrote: > > > So the difference AFAICT is the membership in the Administrators group. > > > Notice also in the two listings below, that by password authentication, > > > backup gets > > > > > > Mandatory Label\High Mandatory Level > > > > > > while by pubkey, he gets > > > > > > Mandatory Label\Medium Mandatory Level > > > > > > whatever those are. > > > > That's an UAC thingy. Keep in mind that Cygwin has to create the user > > token from scratch here, given that you are using passwored-less setuid > > method 1 > > (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). > > I'm not aware of a method to fetch the mandatory level SID a user is > > supposed to get, so what Cygwin does is simply to base the mandatory > > level SID on the membership in the admins group. > > > > As for the missing privileges, they are not missing in the user token, > > they are just disabled: > > [...] > > But even then, if the backup/restore privileges are disabled, it shouldn't > > matter in Cygwin. Cygwin enables both privileges right at process startup. > > > > Having said that, I have no idea why the privileges are disabled in your > > token. The good news is that I can reproduce the behaviour on a Windows > > 2008 R2 box with a normal domain user account, which got explicit backup > > and restore rights. > > > > I don't know why this occurs when using password-less setui method 1, > > this is something which I have to debug yet. > > I just debugged this and now I know why this happens. The problem > is the aforementioned Mandatory Label. A user token which has medium > mandatory level can not enable these privileges, even if they are in > the user token. If I create the token with high mandatory level, > it's no problem to enable the backup/restore permissions at process > startup. > > However, I don't think it's a good idea to set the high mandatory level > on a token unconditionally. This should only be done if the token > contains certain privileges. The problem now is to find out which > permissions are affected by this. I don't see any list of privileges > on MSDN in terms of UAC restriction. Oh well, no pain, no gain. I applied a patch to CVS which should solve this problem in a generic way. I observed how Windows handles the privileges when creating a token and your scenario should be nicely covered now. I also dropped a somewhat dangerous behaviour in terms of security when creating a token from scratch. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple