X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 4 Oct 2011 11:44:40 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: admin privileges when logging in by ssh?
Message-ID: <20111004094440.GB14728@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <rg0q679hpajl00ujv34jtmavsanhpb6n2t AT 4ax DOT com> <fb5s67hrbvq8lej86nqjhfp0et01fc6lsf AT 4ax DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <fb5s67hrbvq8lej86nqjhfp0et01fc6lsf@4ax.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Sep 12 10:24, Andrew Schulman wrote:
> > When a user with administrative privileges logs in to sshd, it seems that the user is only granted
> > standard user privileges for that session.  Is there a way around that?  How can I get the admin
> > privileges for that session?
> 
> Winding this up:
> 
> Password authentication to sshd is all that's needed to be granted the account's admin privileges on
> login.  I was mistaken about UAC:  unlike at the console, when you log in by ssh, the account's
> admin privileges are granted at login, without needing any further authentication to UAC.

I'm quite puzzeled since password authentication should not be needed.
This should work with pubkey as well.  Please see
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview for
a discussion how setuid works in Cygwin.

In all cases, password auth and passwordless auth, you should get a full
admin token.  In case of password auth and in the passwordless methods
2 and 3, the OS returns a restricted token under UAC, but that token
has a reference to the full admin token attached.  Cygwin fetches this
token and uses that when switching the user context.  In the default
passwordless method 1, Cygwin creates a token from scratch, which also
has full admin rights.  However, this token has a couple of problems as
described in http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
Probably that's what you stumble over.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple