This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: PATCH: login under privileged user != SYSTEM

On Apr 17 01:48, Charles Wilson wrote:
> I've been trying to get all the bugs in inetutils-1.5 squashed, and I ran 
> into an issue with rlogin when rlogind was running under a privileged user 
> (that is, not SYSTEM), as is required for Windows Server 2003, 2008, and 
> Vista.
> The problem was, although rsh would honor my .rhosts and allow passwordless 
> operation, rlogin would not. It always asked for my password.
> Internally, rlogind *knew* that the incoming connection was "authenticated" 
> via .rhosts, so it invoked login thus:
> login -p -h <incoming hostname> -f -- <username>
> where the '-f' SHOULD mean "this is already authenticated, don't ask for 
> the password again".  But it wasn't working, because login was hardcoded to 
> compare the current uid to 18 (that is, SYSTEM), before allowing 
> passwordless auth.  But rlogind/login were not running under SYSTEM.
> I don't think you can simply replace the code in login, the way we did in 
> many of the servers, tho:
>  #ifdef __CYGWIN__
> -#define  ROOT_UID    18
> +#define  ROOT_UID    getuid()
>  #else
>  #define  ROOT_UID     0
>  #endif
> because then you'd allow passwordless auth no matter what account login was 
> running under. Now, it might fail later, assuming we added code to check 
> whether some future setuid() succeeded or not, but I think that's too late 
> in the process.
> So, for *login*, I changed the code from
>    if (uid == ROOT_UID)
> to
>    if (is_a_ROOT_UID(uid))
> and implemented a function that, depending on the underlying windows 
> version, either
>   (1) compares to 18
>   (2) checks that the account with the specified uid has the following 
> privileges:
> +        SeAssignPrimaryTokenPrivilege
> +        SeCreateTokenPrivilege
> +        SeTcbPrivilege
> +        SeIncreaseQuotaPrivilege
> +        SeServiceLogonRight
> (On NT/2k/XP, uid = 18 is an automatic "yes", but if uid != 18, then we 
> fall back to the Vista check-privileges procedure)
> With these changes, I can now get passwordless rlogin when inetd is running 
> under a privileged user, and not SYSTEM.
> Most of the code was adapted from editrights/main.c...

Cool, thanks!  Would you mind to take over login maintainance, too?  It
was always just the wagging tail of inetutils anyway...

Other than that, I'd like to suggest a few minor changes to the patch:

- The SeServiceLogonRight doesn't have to be tested, IMHO.  It doesn't
  have anything to do with user account switching.

- I don't understand why NT4 is handled specially by only checking for the
  uid while 2K and XP get the additional account check if necessary.  None
  of the functions are new with 2K, they all exists since NT 3.51.

- I wouldn't do the automatic yes for uid 18 anymore.  Even for NT/2K/XP
  it would be more correct to check if the current account running the
  process is the one with SID S-1-5-18.  Given that there's already
  so much code for Windows specific privilege checking, I don't think
  it hurts a lot to add something along the lines of

    AllocateAndInitializeSid (SECURITY_NT_AUTHORITY, 1, 18, ..., &system_sid);
    token = OpenProcessToken (GetCurrentProcess ());
    user_sid = GetTokenInformation(token, TOKEN_USER);
    if (EqualSid (user_sid, system_sid))

Thanks again,

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]