This is the mail archive of the
mailing list for the Cygwin project.
Re: admin privileges when logging in by ssh?
On Oct 14 20:23, Corinna Vinschen wrote:
> On Oct 14 11:18, Andrew Schulman wrote:
> > So the difference AFAICT is the membership in the Administrators group.
> > Notice also in the two listings below, that by password authentication,
> > backup gets
> > Mandatory Label\High Mandatory Level
> > while by pubkey, he gets
> > Mandatory Label\Medium Mandatory Level
> > whatever those are.
> That's an UAC thingy. Keep in mind that Cygwin has to create the user
> token from scratch here, given that you are using passwored-less setuid
> method 1
> (per http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview).
> I'm not aware of a method to fetch the mandatory level SID a user is
> supposed to get, so what Cygwin does is simply to base the mandatory
> level SID on the membership in the admins group.
> As for the missing privileges, they are not missing in the user token,
> they are just disabled:
> But even then, if the backup/restore privileges are disabled, it shouldn't
> matter in Cygwin. Cygwin enables both privileges right at process startup.
> Having said that, I have no idea why the privileges are disabled in your
> token. The good news is that I can reproduce the behaviour on a Windows
> 2008 R2 box with a normal domain user account, which got explicit backup
> and restore rights.
> I don't know why this occurs when using password-less setui method 1,
> this is something which I have to debug yet.
I just debugged this and now I know why this happens. The problem
is the aforementioned Mandatory Label. A user token which has medium
mandatory level can not enable these privileges, even if they are in
the user token. If I create the token with high mandatory level,
it's no problem to enable the backup/restore permissions at process
However, I don't think it's a good idea to set the high mandatory level
on a token unconditionally. This should only be done if the token
contains certain privileges. The problem now is to find out which
permissions are affected by this. I don't see any list of privileges
on MSDN in terms of UAC restriction. Oh well, no pain, no gain.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple