Re: Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master

[Corinna Vinschen <corinna-cygwin at cygwin dot com>]

On Jun  8 16:46, Houder wrote:
> Hi Corinna,
> 
> Maybe you are still around ... otherwise it will be for the next round.
> 
> During my exercise with sshd I was "forced" :-) to study the User Guide, as I
> am not "well informed" :-P about the security model of Windows.
> 
> I am referring to this paragraph:
> 
>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>     (switching the user context)
> 
> To get a bit more acquainted with the stuff, I decided to try your example at
> the beginning of this paragraph - i.e. the example in subparagraph "Switching
> the user context WITH password authentication".
> 
> (I modified the example in order to make a bit more "exciting" -- see below)
> 
> 64-@@# uname -a
> CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin
> 64-@@# editrights -u Henri -l
> SeLockMemoryPrivilege <==== no special? privileges ...
> 
> 64-@@# ./setuid
> Password:
> BEFORE  uid = 1000,  gid =  513
> BEFORE euid = 1000, egid =  513
> AFTER   uid = 1004,  gid =  513
> AFTER  euid = 1004, egid =  513
> Surprise: execl() failed: : Operation not permitted
> retval = -1
> Should not be reached ...
> 64-@@#
> 
> First I tried adding SeTcbPrivilege ("extremely powerful", according to what I
> read at MSDN). Logoff/Logon ...
> 
> That did not help. Got the same result. So, NOT that powerful ...
> 
> Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ...
> 
> 64-@@# ./setuid
> Password:
> BEFORE  uid = 1000,  gid =  513
> BEFORE euid = 1000, egid =  513
> AFTER   uid = 1004,  gid =  513
> AFTER  euid = 1004, egid =  513
> sh-4.4$ id
> uid=1004(jvdwater) gid=513(None) groups=513(None),545(Users),11(Authenticated Users)
> sh-4.4$ exit
> 64-@@# 
> 
> It might be ?obvious? to an expert on Windows (after having searched through
> MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required ...
> 
> That is, when one is going to invoke CreateProcessAsUser() ...
> 
> However, someone without that knowledge ...
> Perhaps a small note to that effect (special privilege required!) in "Switching
> the user context with password authentication" might help the 'innocent' reader.

You're not supposed to do that.  setuid() is a privileged call, so it's
supposed to be called by a privileged process only.  Do not add these
permissions to a normal user account unless you exactly know what you're
doing security-wise.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: signature.asc
Description: PGP signature