X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=ExZ9w6N3eecH7bgW
	488NL9PuQY2uPLgQl4BqKpD1rFqbWGD3U57gWW1dAy++e8653Txd1Iw7ik9ixc69
	3UF8JgXbM+GAoQ8Lmyb5w8uyYGsHfpkW86Jj8THP+tg29bAACV+Wv9igZYzvlls7
	1f+EikzjBgqbv15pTcUBCHcEWuo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=ZLBw7zZI3LaoniQWHE6Ino
	hg/m4=; b=TenXw9uq1AcHH8uH4llhCD5fMlugAbcyuHsDW+oO7b1JAOXWI+QQAx
	0qYd8vvCRubUt1N6/Ydxf4HFCaNYwJzytpxHJG6oE75IplmUmEazjwzBp0dz/IYW
	fJVLJGKZbEcw44QaKJo17/HL5db/JQaz6dOfllpImJZ+83cyaixVY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,PLING_QUERY,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=1015, HContent-Transfer-Encoding:8bit, surprise
X-HELO: mail-it0-f53.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:subject:to:references:from:message-id:date         :user-agent:mime-version:in-reply-to:content-language         :content-transfer-encoding;        bh=4dLMyoaZU6+FboSLezaejdXNToQW/acsS9sLqbxoAvk=;        b=eRbmF5rpPiSbbq29O/0dHgEkVqTeEwA25+lC9MWTY+hP6P5YJ1XlaRtj9xAk5+aUpF         aVgFgRS7ArGI7LNO7GoDueJm/bB64fP0lA6/Hngov+Gzu4MhLebNU3Xe98ViZbeEzFcC         neyAMq93oP9bQ03teUatVSiwBnZ+MwBE5015G0lWp8bMcidRnnt19587QyP2orR+Of06         CmZS8F/2fjTyolp3pUoIZLrOhZXugCjiC+svDNWHoVqveegC06CQKVJbgiA9YIZQDxL3         3VP6XsftNdOY+PqCb78IXXMkFfmEOFZAgovxWrVslI7yRiAc8p4l8lOkd4Hc6J44CGkv         IRbQ==
X-Gm-Message-State: AODbwcAYTRoK+sC28/8shFYavr7ItG4cmfv2GHnDc9PFuw8uqAFlUyKE	3ziOPQda0rpoPWbf
X-Received: by 10.36.17.197 with SMTP id 188mr7482108itf.28.1496237219533;        Wed, 31 May 2017 06:26:59 -0700 (PDT)
Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE!
To: cygwin AT cygwin DOT com
References: <d436698bbd53eef3cbdda788d4926109 AT xs4all DOT nl> <37b863f6-ce5c-ef13-569f-8044fe485075 AT gmail DOT com> <20e2702ca3837f5d54c558f8e786c717 AT xs4all DOT nl> <b16023ad6735108510ae351a8378a420 AT xs4all DOT nl> <262615c8cf6e134cedf97b0280c4a68f AT smtp-cloud2 DOT xs4all DOT net> <592E1C49 DOT 6020202 AT cygwin DOT com> <38be07babbfc69d5ccea67afe6f92794 AT smtp-cloud2 DOT xs4all DOT net>
From: cyg Simple <cygsimple AT gmail DOT com>
Message-ID: <28f7eeae-ed40-9837-53bc-d2d6a33ad5a7@gmail.com>
Date: Wed, 31 May 2017 09:27:02 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <38be07babbfc69d5ccea67afe6f92794@smtp-cloud2.xs4all.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-IsSubscribed: yes

On 5/31/2017 5:37 AM, Houder wrote:
> On Tue, 30 May 2017 21:28:41, "Larry Hall (Cygwin)" wrote:
> 
> [snip]
>> Cygwin's link to the Windows user ID is through the UID/SID mapping.  In
>> your case, you're apparently using /etc/passwd and so that's where the
>> mapping happens.  You can map the UID of a Cygwin user to any valid Windows
>> SID by editing the SID as you did.  This doesn't change how things look in
>> the Cygwin environment (i.e. the UID and user name are still the same) but
>> it does make a difference to Windows.  So the fact that you can change the
>> SID for the 'sshd' user and still get it to run is not all that surprising,
>> assuming that the new Windows SID that you're using as 'sshd' now has at
>> least similar permissions.  Of course, if you remove Cygwin's understanding
>> of 'sshd' so that it can't do the mapping of UID to SID or even have a
>> valid UID, then subsequent problems are not unexpected.
> 
> Hi Larry,
> 
> Thanks for your reply! Discussion!
> 
> First of all, I do not pretend to know Windows ... neither do I pretend that I
> know more about ssh/Cygwin than Corinna does (basically, I know not very much).
> 
> .. the only thing I am able to, is "observe" (and I may interpret wrong), and
> may have done "stupid" things. That is why your reply is appreciated by me.
> 
> Now back to your reply:
> 
> I had modified /etc/password as follows: (note the xxxx in the sid)
> 
> sshd:*:1015:513:U-Seven\sshd,S-1-5-21-91509220-1575020443-2714799223-xxxx:/var/empty:/bin/false
> 
> However, just now I modified it as follows:
> 
> sshd:*:1015:513:U-Seven\sshd,S-1-5-21-xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx:/var/empty:/bin/false
> 
> (again changed the sshd service into 'automatic'), and rebooted the system.
> 
> After system reboot, an elevated shell is started ...
> (the ampersand sign at the end of the prompt indicates it is an elevated shell)

All of this talk of /etc/passwd leads me to point you to
https://cygwin.com/cygwin-ug-net/ntsec.html.

-- 
cyg Simple

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple