Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Date: Fri, 4 May 2001 16:00:25 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygdev <cygwin-developers AT cygwin DOT com>
Subject: New subdirectory in winsup
Message-ID: <20010504160025.E24200@cygbert.vinschen.de>
Reply-To: cygdev <cygwin-developers AT cygwin DOT com>
Mail-Followup-To: cygdev <cygwin-developers AT cygwin DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i

Hi,

I have just added a new subdirectory to winsup called "subauth".
To update your local sandbox you'll have to change to your
$(cygwinsrcdir)/winsup directory and call `cvs up -d'.

That new subdirectory contains the code to generate a subauthentication
DLL which allows the new code in cygwin/security.cc to change the
user context without providing a password on NT/W2K systems.

The installation is somewhat tricky. When you've successfully build
the DLL, you'll have to copy it into your $SYSTEMROOT/system32
directory. It's unfortunately not enough to add for example
C:\cygwin\bin to the system environment PATH variable so that
subauth DLLs are searched there, too.

Then you'll have to add a registry entry to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0

The new value should be named "Auth255", type REG_SZ, and should contain
the string "CYGSUBA". If for some reason your system already contains
an "Auth255" value, create an "Auth254" or so (NEVER "Auth0"!!!) and
add the following to your CYGWIN variable:

	CYGWIN= ... subauth_id:254 ...

The default value of "subauth_id" is 255 according to the above
description and the recommendation of Microsoft.

Then be sure to have an account with the SE_TCB_NAME "Act as part
of the operating system" privilege active since it's needed to
be able to contact the LSA subsystem which manages the user
authentication in NT/W2K. That right is by default only given to
LocalSystem. That's of course no advice to always create such an
account but it's only for testing purposes!

Then reboot as you should be used to as a Windows user.

After logging in as the user which has the SE_TCB_NAME privilege,
you should be able to use the good old `su' which you probably
still have on your system to change the user context.

If you don't have `su', just try the following test app:

=========================
#include <unistd.h>
#include <stdio.h>
#include <pwd.h>
#include <grp.h>

int
main(int argc, char **argv)
{
  uid_t uid;
  gid_t gid;
  int pid, s;

  if (argc < 3)
    {
      fprintf (stderr, "usage: %s uid gid\n", argv[0]);
      return 1;
    }
  gid = getegid ();
  uid = geteuid ();
  printf ("BEFORE: uid: %d, gid: %d\n", geteuid (), getegid ());
  setegid (atoi (argv[2]));
  seteuid (atoi (argv[1]));
  printf ("AFTER: uid: %d, gid: %d\n", geteuid (), getegid ());
  switch (pid = fork ())
    {
    case -1:
      fprintf (stderr, "fork failed\n");
      break;
    case 0:
      printf ("CHILD: uid: %d, gid: %d\n", geteuid (), getegid ());
      execlp ("bash", "bash", "--login", NULL);
      fprintf (stderr, "exec failed\n");
      break;
    default:
      wait (&s);
      break;
    }
  setegid (gid);
  seteuid (uid);
  printf ("BACK: uid: %d, gid: %d\n", geteuid (), getegid ());
  return 0;
}
=========================

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.