This is the mail archive of the cygwin-developers mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Request for help debugging screen problem

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin-developers at cygwin dot com
Date: Fri, 5 Feb 2010 17:31:05 +0100
Subject: Re: Request for help debugging screen problem
References: <4B6BF601.7020003@shaddybaddah.name> <20100205134648.GO28659@calimero.vinschen.de> <20100205143533.GA28366@ednor.casa.cgf.cx> <4B6C347B.5090106@shaddybaddah.name> <20100205154411.GR28659@calimero.vinschen.de> <4B6C4018.1090608@shaddybaddah.name>
Reply-to: cygwin-developers at cygwin dot com

On Feb  5 15:58, Shaddy Baddah wrote:
> On 5/02/2010 3:44 PM, Corinna Vinschen wrote:
> >>The issue is almost definitely related to the privilege model on
> >>these OSes, as as I expected, XP doesn't present with the same
> >>problem. It also does not present if I ssh into the unlocked
> >>Administrator account. It of course does present if logged into a
> >>Administrators grouped user account other than the standard
> >>Administrator user.
> >
> >Really?  The user token you're running under should be the elevated
> >admin token with full admin rights, at least as long as you have
> >logged in via ssh.  Hmm.  Except, if you have logged in via pubkey
> >authentication and you're using the user context switch method 1:
> >http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
> >In that case I don't know if the hand-crafted user token is really
> >accepted in terms of mandatory integrity tests, even though the token
> >contains the integrity SID.
> 
> I am logging using a password to an sshd configured using
> ssh-host-config. I login as a regular user only in the Users group,
> or an user in the Administrators group. Either way, the situation is
> the same. It is only as the true (unlocked) Administrator that I can
> reattach to screen sessions.

That makes sense.  In case of password logon, Cygwin is using the
exact token it gets back from the LogonUser function, not the
attached elevated token.  Hmm, I put that on my TODO list.  After
all, if I logon via ssh as admin user, I do that to do admin tasks,
so I want to run the session elevated.

> I thought it was common knowledge that logging in to an
> Administrtors grouped user in Vista or Windows 7 is not enough to
> defeat the (default) UAC, and you remain unelevated from a privilege
> standpoint. That is why I have no choice but to unlock the genuine
> Administrator (and rename it just in case).

No, that's not quite correct.  If you call LogonUser (or the cyglsa sort
of password-less authentication) successfully, the system returns the
non-elevated token as well as the elevated token as a so-called linked
token.  In case of pubkey authentication, Cygwin refers to the elevated
token and uses that to switch the user context.  In case of password
authentication it does not do that so far.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Follow-Ups:
- Re: Request for help debugging screen problem
  - From: Corinna Vinschen

References:
- Request for help debugging screen problem
  - From: Shaddy Baddah
- Re: Request for help debugging screen problem
  - From: Corinna Vinschen
- Re: Request for help debugging screen problem
  - From: Christopher Faylor
- Re: Request for help debugging screen problem
  - From: Shaddy Baddah
- Re: Request for help debugging screen problem
  - From: Corinna Vinschen
- Re: Request for help debugging screen problem
  - From: Shaddy Baddah

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]