This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: New subdirectory in winsup


Wow! Thank you for this!!!

I recall it being a big task :]

I do hope it wasn't _too_ big.

Rob


----- Original Message -----
From: "Corinna Vinschen" <vinschen@redhat.com>
To: "cygdev" <cygwin-developers@cygwin.com>
Sent: Saturday, May 05, 2001 12:00 AM
Subject: New subdirectory in winsup


> Hi,
>
> I have just added a new subdirectory to winsup called "subauth".
> To update your local sandbox you'll have to change to your
> $(cygwinsrcdir)/winsup directory and call `cvs up -d'.
>
> That new subdirectory contains the code to generate a
subauthentication
> DLL which allows the new code in cygwin/security.cc to change the
> user context without providing a password on NT/W2K systems.
>
> The installation is somewhat tricky. When you've successfully build
> the DLL, you'll have to copy it into your $SYSTEMROOT/system32
> directory. It's unfortunately not enough to add for example
> C:\cygwin\bin to the system environment PATH variable so that
> subauth DLLs are searched there, too.
>
> Then you'll have to add a registry entry to
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0
>
> The new value should be named "Auth255", type REG_SZ, and should
contain
> the string "CYGSUBA". If for some reason your system already contains
> an "Auth255" value, create an "Auth254" or so (NEVER "Auth0"!!!) and
> add the following to your CYGWIN variable:
>
> CYGWIN= ... subauth_id:254 ...
>
> The default value of "subauth_id" is 255 according to the above
> description and the recommendation of Microsoft.
>
> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!
>
> Then reboot as you should be used to as a Windows user.
>
> After logging in as the user which has the SE_TCB_NAME privilege,
> you should be able to use the good old `su' which you probably
> still have on your system to change the user context.
>
> If you don't have `su', just try the following test app:
>
> =========================
> #include <unistd.h>
> #include <stdio.h>
> #include <pwd.h>
> #include <grp.h>
>
> int
> main(int argc, char **argv)
> {
>   uid_t uid;
>   gid_t gid;
>   int pid, s;
>
>   if (argc < 3)
>     {
>       fprintf (stderr, "usage: %s uid gid\n", argv[0]);
>       return 1;
>     }
>   gid = getegid ();
>   uid = geteuid ();
>   printf ("BEFORE: uid: %d, gid: %d\n", geteuid (), getegid ());
>   setegid (atoi (argv[2]));
>   seteuid (atoi (argv[1]));
>   printf ("AFTER: uid: %d, gid: %d\n", geteuid (), getegid ());
>   switch (pid = fork ())
>     {
>     case -1:
>       fprintf (stderr, "fork failed\n");
>       break;
>     case 0:
>       printf ("CHILD: uid: %d, gid: %d\n", geteuid (), getegid ());
>       execlp ("bash", "bash", "--login", NULL);
>       fprintf (stderr, "exec failed\n");
>       break;
>     default:
>       wait (&s);
>       break;
>     }
>   setegid (gid);
>   seteuid (uid);
>   printf ("BACK: uid: %d, gid: %d\n", geteuid (), getegid ());
>   return 0;
> }
> =========================
>
> Corinna
>
> --
> Corinna Vinschen                  Please, send mails regarding Cygwin
to
> Cygwin Developer
mailto:cygwin@cygwin.com
> Red Hat, Inc.
>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]