PATCH: login under privileged user != SYSTEM
Charles Wilson
cygwin@cwilson.fastmail.fm
Thu Apr 17 12:57:00 GMT 2008
I've been trying to get all the bugs in inetutils-1.5 squashed, and I
ran into an issue with rlogin when rlogind was running under a
privileged user (that is, not SYSTEM), as is required for Windows Server
2003, 2008, and Vista.
The problem was, although rsh would honor my .rhosts and allow
passwordless operation, rlogin would not. It always asked for my password.
Internally, rlogind *knew* that the incoming connection was
"authenticated" via .rhosts, so it invoked login thus:
login -p -h <incoming hostname> -f -- <username>
where the '-f' SHOULD mean "this is already authenticated, don't ask for
the password again". But it wasn't working, because login was hardcoded
to compare the current uid to 18 (that is, SYSTEM), before allowing
passwordless auth. But rlogind/login were not running under SYSTEM.
I don't think you can simply replace the code in login, the way we did
in many of the servers, tho:
#ifdef __CYGWIN__
-#define ROOT_UID 18
+#define ROOT_UID getuid()
#else
#define ROOT_UID 0
#endif
because then you'd allow passwordless auth no matter what account login
was running under. Now, it might fail later, assuming we added code to
check whether some future setuid() succeeded or not, but I think that's
too late in the process.
So, for *login*, I changed the code from
if (uid == ROOT_UID)
to
if (is_a_ROOT_UID(uid))
and implemented a function that, depending on the underlying windows
version, either
(1) compares to 18
(2) checks that the account with the specified uid has the following
privileges:
+ SeAssignPrimaryTokenPrivilege
+ SeCreateTokenPrivilege
+ SeTcbPrivilege
+ SeIncreaseQuotaPrivilege
+ SeServiceLogonRight
(On NT/2k/XP, uid = 18 is an automatic "yes", but if uid != 18, then we
fall back to the Vista check-privileges procedure)
With these changes, I can now get passwordless rlogin when inetd is
running under a privileged user, and not SYSTEM.
Most of the code was adapted from editrights/main.c...
--
Chuck
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login-1.9-7.vista.patch
URL: <http://cygwin.com/pipermail/cygwin/attachments/20080417/cd6d936f/attachment.ksh>
-------------- next part --------------
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list