This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Possible Security Hole in SSHD w/ CYGWIN?

On Wed, Feb 10, 2016 at 12:21 AM, David Willis wrote:
> Thank you for the response..
> That is the problem though, it is not an error I am getting (that is in fact
> the issue is that I SHOULD be getting a "permission denied" but I am not).
> The problem is that I have access to things that I should not. Since this is
> plain text only I can't post a SS of the open session that is shown in
> Computer Management->Shared Folders->Sessions, but it shows the privileged
> server account "cyg_server" instead of the user that I am accessing the
> share as (the user I SSH'd in as).
> And I just found out with further testing that when I connect using a
> password to Cygwin SSHD server, then access the file share, I have the
> correct permissions and it shows an open session as the user I connected as
> like it should. So it is something specifically that happens when connecting
> using public key authentication.
> Here is an example though:
> [user]@[client machine] ~$ ssh [user]@[SSH server].[domain]
> Enter passphrase for key '/home/[user]/.ssh/id_dsa':
> Last login: Mon Feb  8 21:41:51 2016 from [client machine]
> [user]@[SSH server] //[file server]/[share] $ ls -l
> total 8
> drwxrwx---+ 1 [admin user]  Domain Users    0 Feb  7 18:29 [private folder]
> drwxrwx---+ 1 [user]        Domain Users    0 Feb  7 17:31 [public folder]
> [user]@[SSH server] //[file server]/[share] $ ls -l [private folder]
> total 8
> -rwxrwx---+ 1 [admin user] Domain Users 6070 Feb  6 22:50 [private file]
> Please note that the user on the client machine and the user I am connecting
> as on the SSH server are the same user account (a domain account). The
> [admin account] is a domain account w/ domain admin privileges. The private
> folder has NTFS ACLs set on it to prevent anyone other than domain admins
> from listing the contents (as does the file inside it have ACLs preventing
> anyone other than domain admins from reading it). The public folder is
> listable by any domain users.
> Now what happens when I login with a password instead of a key:
> [user]@[client machine] ~$ ssh [user]@[SSH server].[domain]
> [user]@[SSH server].[domain]'s password:
> Last login: Tue Feb  9 20:18:44 2016 from [client machine]
> [user]@[SSH server] //[file server]/[share] $ ls -l
> total 8
> drwxr-x---  1 Unknown+User   Unknown+Group    0 Feb  7 18:29 [private
> folder]
> drwxrwx---+ 1 [user]        Domain Users     0 Feb  7 17:31 [public folder]
> [user]@[SSH server] //[file server]/[share] $ ls -l [private folder]
> ls: cannot open directory [private folder]: Permission denied
> The behavior the second time is what I would expect the first time. Also in
> the second scenario, Computer Management->Shared Folders->Sessions shows the
> proper user being connected (the user I SSH'd in as) instead of the
> privileged server account "cyg_server".
> Thanks again for any help - much appreciated
> David

With the precise steps listed/demonstrated, I've reproduced it

I connected with ssh as a normal user using a private key, and cd'd to
//server/c$/ successfully, and in the Windows active sessions, it does
indeed show "cyg_server" as the connected user, not the user I logged
in with.  Trying this using a password rather than a private key
behaves as expected.

Taking this a step further, I created a new directory from Windows
Explorer and reset the permissions to explicitly deny access to the
normal user I tested with.  Then I tried to cd to
/cygdrive/c/access_denied_test/ and received the expected access
denied message, but when I tried to cd to
//server/c$/access_denied_test/ I succeeded, and was able to create
new files in the directory.

I can provide screen shots of the reproduction without the need to
redact quite so much.

-- Erik

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]