This is the mail archive of the
mailing list for the Cygwin project.
Re: PATCH: login under privileged user != SYSTEM
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 17 Apr 2008 11:51:05 +0200
- Subject: Re: PATCH: login under privileged user != SYSTEM
- References: <4806E4C6.email@example.com>
- Reply-to: cygwin at cygwin dot com
On Apr 17 01:48, Charles Wilson wrote:
> I've been trying to get all the bugs in inetutils-1.5 squashed, and I ran
> into an issue with rlogin when rlogind was running under a privileged user
> (that is, not SYSTEM), as is required for Windows Server 2003, 2008, and
> The problem was, although rsh would honor my .rhosts and allow passwordless
> operation, rlogin would not. It always asked for my password.
> Internally, rlogind *knew* that the incoming connection was "authenticated"
> via .rhosts, so it invoked login thus:
> login -p -h <incoming hostname> -f -- <username>
> where the '-f' SHOULD mean "this is already authenticated, don't ask for
> the password again". But it wasn't working, because login was hardcoded to
> compare the current uid to 18 (that is, SYSTEM), before allowing
> passwordless auth. But rlogind/login were not running under SYSTEM.
> I don't think you can simply replace the code in login, the way we did in
> many of the servers, tho:
> #ifdef __CYGWIN__
> -#define ROOT_UID 18
> +#define ROOT_UID getuid()
> #define ROOT_UID 0
> because then you'd allow passwordless auth no matter what account login was
> running under. Now, it might fail later, assuming we added code to check
> whether some future setuid() succeeded or not, but I think that's too late
> in the process.
> So, for *login*, I changed the code from
> if (uid == ROOT_UID)
> if (is_a_ROOT_UID(uid))
> and implemented a function that, depending on the underlying windows
> version, either
> (1) compares to 18
> (2) checks that the account with the specified uid has the following
> + SeAssignPrimaryTokenPrivilege
> + SeCreateTokenPrivilege
> + SeTcbPrivilege
> + SeIncreaseQuotaPrivilege
> + SeServiceLogonRight
> (On NT/2k/XP, uid = 18 is an automatic "yes", but if uid != 18, then we
> fall back to the Vista check-privileges procedure)
> With these changes, I can now get passwordless rlogin when inetd is running
> under a privileged user, and not SYSTEM.
> Most of the code was adapted from editrights/main.c...
Cool, thanks! Would you mind to take over login maintainance, too? It
was always just the wagging tail of inetutils anyway...
Other than that, I'd like to suggest a few minor changes to the patch:
- The SeServiceLogonRight doesn't have to be tested, IMHO. It doesn't
have anything to do with user account switching.
- I don't understand why NT4 is handled specially by only checking for the
uid while 2K and XP get the additional account check if necessary. None
of the functions are new with 2K, they all exists since NT 3.51.
- I wouldn't do the automatic yes for uid 18 anymore. Even for NT/2K/XP
it would be more correct to check if the current account running the
process is the one with SID S-1-5-18. Given that there's already
so much code for Windows specific privilege checking, I don't think
it hurts a lot to add something along the lines of
AllocateAndInitializeSid (SECURITY_NT_AUTHORITY, 1, 18, ..., &system_sid);
token = OpenProcessToken (GetCurrentProcess ());
user_sid = GetTokenInformation(token, TOKEN_USER);
if (EqualSid (user_sid, system_sid))
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html