X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Tue, 27 Apr 2010 11:10:11 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Filtered tokens Message-ID: <20100427091011.GB12365@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Apr 26 15:34, Patrick Julien wrote: > I have read the page found at > http://www.cygwin.com/cygwin-ug-net/ntsec.html but I still see the > following 2 issues with filtered tokens as implemented by Vista/7 when > used by cygwin. > > When I say filtered tokens, I'm talking about the dual token strategy > these systems use to keep administrators running under non admin > privileges most of the time. You mean UAC. > 1. When using ssh/sshd, the token assigned to a user on login is the > fully privileged one. Deliberately. Otherwise you can't perform admin tasks from a remote session. > And it doesn't matter if I am using keys or a password to login. I am > running under my "full privileged" token. Setting the password using > "password -R" has no effect either. I would be surprised if it had. After all it's only a single account with a crippled and a full token. I'm surprised anybody wants the crippled token in a remote SSH session. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple