X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=XEUOCF1xTU6wl8gffBddp0SgL2X1O9SY9np04Hn+FkzRvHHpOQklK igazqmrSf0bhUct2lZTWa1jAapLOHSZj1ObSJFF3t3occfLIOO6C5P8fatiWvD3f q0UYsBQpygOOXM87RxxdvU6g1B4aMSUYmfT/1ZS7zUM9EHaOxcYnqc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=wDZTFz23+JFbyZ+Nn1SAPrPm7V0=; b=wK13AlXc4KQo1gUtnLARoTH0gLhJ ZiM5l6fNhLyxmkKSzOfsUYrw8ZozUMmAufnjRpG6oY8v+ecTZ6Glwxsm/uy5C7rV 1LWdfZ0la58BjskbfcQMcchnRMlhsO4QrIsnnJ8DnK46vMRAeA4vQIE9Yzw9GoDq CMi8W+VMaIZm23A= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-101.9 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:2644, Seven, seven, informed X-HELO: drew.franken.de Date: Fri, 9 Jun 2017 11:00:36 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master Message-ID: <20170609090036.GH13513@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <09b517b4e22a170590f36f240383189b AT smtp-cloud3 DOT xs4all DOT net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AjmyJqqohANyBN/e" Content-Disposition: inline In-Reply-To: <09b517b4e22a170590f36f240383189b@smtp-cloud3.xs4all.net> User-Agent: Mutt/1.8.0 (2017-02-23) --AjmyJqqohANyBN/e Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jun 8 16:46, Houder wrote: > Hi Corinna, >=20 > Maybe you are still around ... otherwise it will be for the next round. >=20 > During my exercise with sshd I was "forced" :-) to study the User Guide, = as I > am not "well informed" :-P about the security model of Windows. >=20 > I am referring to this paragraph: >=20 > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview > (switching the user context) >=20 > To get a bit more acquainted with the stuff, I decided to try your exampl= e at > the beginning of this paragraph - i.e. the example in subparagraph "Switc= hing > the user context WITH password authentication". >=20 > (I modified the example in order to make a bit more "exciting" -- see bel= ow) >=20 > 64-@@# uname -a > CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin > 64-@@# editrights -u Henri -l > SeLockMemoryPrivilege <=3D=3D=3D=3D no special? privileges ... >=20 > 64-@@# ./setuid > Password: > BEFORE uid =3D 1000, gid =3D 513 > BEFORE euid =3D 1000, egid =3D 513 > AFTER uid =3D 1004, gid =3D 513 > AFTER euid =3D 1004, egid =3D 513 > Surprise: execl() failed: : Operation not permitted > retval =3D -1 > Should not be reached ... > 64-@@# >=20 > First I tried adding SeTcbPrivilege ("extremely powerful", according to w= hat I > read at MSDN). Logoff/Logon ... >=20 > That did not help. Got the same result. So, NOT that powerful ... >=20 > Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ... >=20 > 64-@@# ./setuid > Password: > BEFORE uid =3D 1000, gid =3D 513 > BEFORE euid =3D 1000, egid =3D 513 > AFTER uid =3D 1004, gid =3D 513 > AFTER euid =3D 1004, egid =3D 513 > sh-4.4$ id > uid=3D1004(jvdwater) gid=3D513(None) groups=3D513(None),545(Users),11(Aut= henticated Users) > sh-4.4$ exit > 64-@@#=20 >=20 > It might be ?obvious? to an expert on Windows (after having searched thro= ugh > MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required .= .. >=20 > That is, when one is going to invoke CreateProcessAsUser() ... >=20 > However, someone without that knowledge ... > Perhaps a small note to that effect (special privilege required!) in "Swi= tching > the user context with password authentication" might help the 'innocent' = reader. You're not supposed to do that. setuid() is a privileged call, so it's supposed to be called by a privileged process only. Do not add these permissions to a normal user account unless you exactly know what you're doing security-wise. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --AjmyJqqohANyBN/e Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZOmO0AAoJEPU2Bp2uRE+go/wP/3mklqlNBhXPcfp1gAbngfP2 NSXOyh75QXbOKw2wHZuHZTr+SN/b4wxHfAcs4ThL6FJDxrUQDGc/7QIpXoOB0Xz6 rv/Mp7g5SfqLxrJgThh8q/mMq4YTNSjQgPjUG9FXSNb+nWRa/ROoV9PICVamqGAh RewS6TqfqGvjh8BhJzVfflh0auGWVAzIHu+ymCrKgxH/ygT6PB079i3oKWA0gSRM p+r6ZX/SnaiqL5W2zwREdtzNDV7Aqddf/IympBpyrgDDPHdTx6smzU+Su4mEV55u xKnbivXwL3pTTXAs61roAMnVLCoz/ZzPHEmb4DxFLyWNkBjqQeA+bOHUYSmSNqBo IOWhWng5hOROiVsmfOkZURymh3B8Rsu8ZeJu3rl6f+IG9lUA6Z/fKYX1866UpT7r O5G09n1RtXWIlqrbVhgCCpeLqzVrYVZ1kp+HfLIx+Kk8lcig2t+nxsUa2hJZxEql jDEnKkPILaV3o/vlQ66+z10BIeJwng0yO1pOaG8GDIUt0mdi0/JHEbjVq7X9DVVo Dh2vqtw6odwrXlxvFS31Xbqks3UYoCz9jS1pz/kMl+hopchBCFItiT7T2lT+s/27 45UTg6qxcsMJIgta69IwNV3D90i9jLedQEu8Zy8ac3CmKm+i7uthQQNIQYxTsm0r KGU0strWoArMZVow3PF2 =AbwH -----END PGP SIGNATURE----- --AjmyJqqohANyBN/e--