Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Date: Mon, 7 May 2001 19:24:31 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygdev <cygwin-developers AT cygwin DOT com>
Subject: Re: New subdirectory in winsup
Message-ID: <20010507192431.G24200@cygbert.vinschen.de>
Reply-To: cygdev <cygwin-developers AT cygwin DOT com>
Mail-Followup-To: cygdev <cygwin-developers AT cygwin DOT com>
References: <E94FF01DFF6CD31186F4080009DC36150202859D AT nttwr2 DOT tower DOT bldgs DOT butlermfg DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <E94FF01DFF6CD31186F4080009DC36150202859D@nttwr2.tower.bldgs.butlermfg.org>; from rdparker@butlermfg.com on Mon, May 07, 2001 at 11:56:02AM -0500

On Mon, May 07, 2001 at 11:56:02AM -0500, Parker, Ron wrote:
> > Then be sure to have an account with the SE_TCB_NAME "Act as part
> > of the operating system" privilege active since it's needed to
> > be able to contact the LSA subsystem which manages the user
> > authentication in NT/W2K. That right is by default only given to
> > LocalSystem. That's of course no advice to always create such an
> > account but it's only for testing purposes!
> 
> Am I understanding properly that this privilege must be added to the user's
> log in account?  If so, it seems to me that this would possibly introduce
> some further security issues.

If user A (say, root) wants to `su' to a user account B (say, ronald
mc donald), then user A needs SE_TCB_NAME privilege. But as I already
told in my description, I don't recommend to do that. It's a good
thing to just start sshd under LocalSystem account or another special
`sshd' account with that privilege to use RSA/DSA authentication to
logon to the system. Sshd is running as root on U*X system for exactly
that reason.

> A few years ago I created an "su" program that I use for various purposes on
> Windows NT/2000.  It has a service that is run under an account that has
> that privilege and a few others.  The service is an OLE server and can be
> called from any application with a user's name and password as well as the
> name of a program to be executed.  The service then impersonates the
> requested user and executes the application.  This avoids giving the user's
> account a privilege that IMO is dangerous.

I never recommended to do that. Not every user may change user
context. It's the decision of the admin to allow or disallow
that.

> I would recommend incorporating such functionality into a daemon like what I
> understand Egor was working on.

An extra service routine would never allow to just fork a
process. That would for example require to change various
parts of sshd to work. With the subauth DLL, sshd could
work as it's own service as described above.

> I have one question.  Has anyone figured out a way in Windows to allow root
> to "su username" without knowing the users password?

That's exactly the problem my subauthentication DLL solves. It
provides a way to logon without password. Unfortunately there's
no way in NT/W2K to do that if you don't have the SE_TCB_NAME
or the SE_CREATE_TOKEN_NAME privilege. Interesting enough, _if_
you have SE_TCB_NAME privilege, that allows nevertheless changing
user context only if you know the password.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.