X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-2.1 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: Andrew Schulman Subject: Re: admin privileges when logging in by ssh? Date: Sat, 15 Oct 2011 13:32:18 -0400 Lines: 51 Message-ID: References: <20111004094440 DOT GB14728 AT calimero DOT vinschen DOT de> <0s9m87drlejguq5s9u6njre69spr5sd8o6 AT 4ax DOT com> <20111004175341 DOT GA14345 AT calimero DOT vinschen DOT de> <20111014182330 DOT GC22040 AT calimero DOT vinschen DOT de> <20111014191451 DOT GD22040 AT calimero DOT vinschen DOT de> <20111015171128 DOT GD6680 AT calimero DOT vinschen DOT de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archive: encrypt X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com > On Oct 14 21:14, Corinna Vinschen wrote: > > On Oct 14 20:23, Corinna Vinschen wrote: > > > On Oct 14 11:18, Andrew Schulman wrote: > > > > So the difference AFAICT is the membership in the Administrators group. > > > > Notice also in the two listings below, that by password authentication, > > > > backup gets > > > > > > > > Mandatory Label\High Mandatory Level > > > > > > > > while by pubkey, he gets > > > > > > > > Mandatory Label\Medium Mandatory Level > > > > > > > > whatever those are. > > > > > > That's an UAC thingy. Keep in mind that Cygwin has to create the user > > > token from scratch here, given that you are using passwored-less setuid > > > method 1 > > > (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview). > > > I'm not aware of a method to fetch the mandatory level SID a user is > > > supposed to get, so what Cygwin does is simply to base the mandatory > > > level SID on the membership in the admins group. > > > > I just debugged this and now I know why this happens. The problem > > is the aforementioned Mandatory Label. A user token which has medium > > mandatory level can not enable these privileges, even if they are in > > the user token. If I create the token with high mandatory level, > > it's no problem to enable the backup/restore permissions at process > > startup. > > > > However, I don't think it's a good idea to set the high mandatory level > > on a token unconditionally. This should only be done if the token > > contains certain privileges. The problem now is to find out which > > permissions are affected by this. I don't see any list of privileges > > on MSDN in terms of UAC restriction. Oh well, no pain, no gain. > > I applied a patch to CVS which should solve this problem in a generic > way. I observed how Windows handles the privileges when creating a > token and your scenario should be nicely covered now. I also dropped a > somewhat dangerous behaviour in terms of security when creating a token > from scratch. Thank you. I'll test the next snapshot and let you know how it goes. You said that Cygwin should only set the high mandatory level if the token contains certain privileges. So I guess that SeBackupPrivilege and SeRestorePrivilege are among the ones that trigger the high mandatory level? Anything more we should know about that? The complexity of this thing sure is growing. Amazing that new wrinkles are still being found. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple