This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: [ssh-l] Running commands under the SYSTEM account ?


I don't understand why creating a token
as SYSTEM doesn't work.  I read the email
you pointed me to and I still don't get it.
If sshd uses NtCreateToken, it should work.

The CVS server CVSNT calls NtCreateToken 
as the SYSTEM user.  The CVSNT service
runs under the local SYSTEM account.  It works.  

Tony? 

----- Original Message ----- 
From: "Peter Buckley" <peter.buckley@cportcorp.com>
To: <ssh-l@erdelynet.com>; <terris@terris.com>
Sent: Wednesday, October 17, 2001 2:07 PM
Subject: Re: [ssh-l] Running commands under the SYSTEM account ?


Okay, I looked around this time and 
found that sshd does use NtCreateToken, 
but it has some drawbacks- specifically, 
the token is not unique and so will not have 
the same rights as your user account. 

http://www.cygwin.com/ml/cygwin/2001-05/msg01228.html

Only the SYSTEM account has the 
NtCreateToken privilege to start off with, 
and it is recommended that no other account 
have that privilege except for testing purposes. 

That would seem to be why sshd runs the shell 
as SYSTEM, because by default it doesn't 
think your user account will have the NtCreateToken 
privilege. 

So is a solution to change the code to 
not be the SYSTEM user, and give your user 
account the NtCreateToken privilege but as always 
"beware the evils of running as a privileged 
account"?

-Peter

Terris wrote:
> 
> This is not an NT problem.  The cygwin people
> have already solved it with CVS & pserver.
> There is a way to context switch to any user without a
> password as long as the user running the process has a
> particular privilege enabled.
> 
> I've seen the same conversations on the cvsnt
> mailing list about how brain-damanged NT is.
> But guess what, both CVSNT and cygwin's
> CVS now do it right.
> 
> The advantages of UNIX are that the flavors
> are all similar.  If you can su on one flavor
> you also can on another.  Plus the
> concept of "su" on UNIX is well known.
> 
> But on NT, unless you've done it before,
> you have no way of knowing how to su,
> either via the command line or via C
> programs or via the GUI.
> The API documentation is totally garbled,
> perhaps intentionally since this knowledge
> can be used to build worms.
> 
> PS, Here's how (from the CVSNT archives)...
> 
> > NtCreateToken doesn't need a password, just a privilege (Create Token),
> > so you can impersonate any given user without having to know their
> > password.
> 
> ----- Original Message -----
> From: "Peter Buckley" <peter.buckley@cportcorp.com>
> To: <ssh-l@erdelynet.com>; <terris@terris.com>
> Sent: Wednesday, October 17, 2001 1:20 PM
> Subject: Re: [ssh-l] Running commands under the SYSTEM account ?
> 
> You've definitely found the weak point
> of cygwin's ssh, and correspondingly
> rsh (inetd) as well. It has been explained
> to me by the developers that this
> behavior of running the shell as SYSTEM
> is a necessary evil of NT. When you run
> without password authentication, what
> happens is a "user context switch." There
> is no login, and hence NT authentication
> cannot occur. This isn't really a case of
> cygwin not being robust, it is that NT
> isn't robust at all.
> 
> The workaround is to compile your own
> sshd. Even if you don't know C, it is
> probably very clear in the source code
> that the user context is not switched,
> or it is not switched at the correct
> time.
> 
> My experience is with rsh (and inetd).
> The code clearly tries to cd to the
> user's home directory as SYSTEM,
> then changes context to the user, and
> then executes the command. Seems pretty
> brain damaged to me, but the developers
> have explained that this is a "security
> feature" that prevents users with
> non-existent home directories from getting
> to the root directory. On rsh, I really
> don't care, since it is insecure to begin
> with, so I am compiling my own.
> 
> The other thing you can try is to run
> the sshd service as a different user,
> one with the appropriate rights. Although
> the cygwin developers say otherwise,
> running an inetd/sshd service as SYSTEM
> has serious limitations in the real world,
> due to the lack of functionality in NT.
> 
> HTH,
> Peter
> Terris wrote:
> >
> > There seems to be a difference in how
> > commands are run from sshd depending on
> > whether password or key (I'm using RSA)
> > authentication is used.
> >
> > I verified this by writing my own app that is used
> > as my shell.
> >
> > This application calls
> > OpenThreadToken or OpenProcessToken
> > if it fails.  I then call LookupAccountSid
> > and write the domain and user name to
> > a log.
> >
> > When RSA authentication is used, the SYSTEM
> > account is used to run the shell.  When password
> > authentication is used, the shell is run under the
> > corresponding NT user that logged in.  It's not
> > very useful for me for the shell to be run
> > under SYSTEM and I don't want to use
> > password authentication.
> >
> > Any ideas?
> >
> > I guess Cygwin isn't as robust as I had
> > hoped it would be.
> >
> > Thanks,
> > Terris





--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]