This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: Request for help debugging screen problem
On Feb 7 14:01, Shaddy Baddah wrote:
> On 6/02/2010 10:59 AM, Corinna Vinschen wrote:
> >It's Session Isolation.
> >
> >Up to Windows 2003, the desktop and the services are running in the same
> >session 0. Starting with Windows Vista, only the service processes are
> >still running in session 0, while all other sessions including the local
> >desktop are running in other sessions. Non-admin users and restricted
> >(not-elevated) admin users have no right to penetrate the session
> >barrier. That's the reason the OpenProcess fails with
> >ERROR_ACCESS_DENIED.
> >
> >However, this shouldn't be the case for cygrunsrv if it's running in
> >session 0 under the SYSTEM account. The system user should have
> >permission to break the session barrier. What problem occurs in
> >cygrunsrv exactly when it's running?
> >[...]
>
> I'm sorry, I have abandoned inspect what the issue with cygserver is
> because I've realised what the real situation is. int
> fhandler_tty_slave::open (int, mode_t) needs to call OpenProcess
> with PROCESS_DUP_HANDLE on the tty master process. When logged in
> via ssh, this is the dedicated sshd process still owned by
> cyg_server.
Huh? That's not how you explained the situation originally. IIUYC, the
situation is that a desktop user created a screen session and then the
same user trying to connect to the screen session from a ssh session
gets a permission denied. In that case, the screen application is the
pty master and when trying to connect from the ssh session, it has to
open the screen process.
> Using ProcExplorer, I see that the regular Users grouped user
> (shaddy account actually) does not have any permissions to this
> process. The (full) permissions are only for:
>
> SYSTEM
> cyg_server
> Administrators
>
> Is this due to a recent security change (I vaguely recall some
> mailing list discussion around something close to this)? Is this the
> reason for the cygserver alternative?
No, the cygserver alternative was discussed to workaround a security
problem due to the OpenProcess.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat