PATCH: login under privileged user != SYSTEM

Charles Wilson cygwin@cwilson.fastmail.fm
Thu Apr 17 12:57:00 GMT 2008 

I've been trying to get all the bugs in inetutils-1.5 squashed, and I 
ran into an issue with rlogin when rlogind was running under a 
privileged user (that is, not SYSTEM), as is required for Windows Server 
2003, 2008, and Vista.

The problem was, although rsh would honor my .rhosts and allow 
passwordless operation, rlogin would not. It always asked for my password.

Internally, rlogind *knew* that the incoming connection was 
"authenticated" via .rhosts, so it invoked login thus:

login -p -h <incoming hostname> -f -- <username>

where the '-f' SHOULD mean "this is already authenticated, don't ask for 
the password again".  But it wasn't working, because login was hardcoded 
to compare the current uid to 18 (that is, SYSTEM), before allowing 
passwordless auth.  But rlogind/login were not running under SYSTEM.


I don't think you can simply replace the code in login, the way we did 
in many of the servers, tho:

  #ifdef __CYGWIN__
-#define  ROOT_UID    18
+#define  ROOT_UID    getuid()
  #else
  #define  ROOT_UID     0
  #endif

because then you'd allow passwordless auth no matter what account login 
was running under. Now, it might fail later, assuming we added code to 
check whether some future setuid() succeeded or not, but I think that's 
too late in the process.

So, for *login*, I changed the code from
    if (uid == ROOT_UID)
to
    if (is_a_ROOT_UID(uid))

and implemented a function that, depending on the underlying windows 
version, either
   (1) compares to 18
   (2) checks that the account with the specified uid has the following 
privileges:
+        SeAssignPrimaryTokenPrivilege
+        SeCreateTokenPrivilege
+        SeTcbPrivilege
+        SeIncreaseQuotaPrivilege
+        SeServiceLogonRight
(On NT/2k/XP, uid = 18 is an automatic "yes", but if uid != 18, then we 
fall back to the Vista check-privileges procedure)

With these changes, I can now get passwordless rlogin when inetd is 
running under a privileged user, and not SYSTEM.

Most of the code was adapted from editrights/main.c...

--
Chuck
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login-1.9-7.vista.patch
URL: <http://cygwin.com/pipermail/cygwin/attachments/20080417/cd6d936f/attachment.ksh>
-------------- next part --------------
--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list