This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: admin privileges when logging in by ssh?
On Oct 15 13:32, Andrew Schulman wrote:
> > On Oct 14 21:14, Corinna Vinschen wrote:
> > I applied a patch to CVS which should solve this problem in a generic
> > way. I observed how Windows handles the privileges when creating a
> > token and your scenario should be nicely covered now. I also dropped a
> > somewhat dangerous behaviour in terms of security when creating a token
> > from scratch.
>
> Thank you. I'll test the next snapshot and let you know how it goes.
>
> You said that Cygwin should only set the high mandatory level if the token
> contains certain privileges. So I guess that SeBackupPrivilege and
> SeRestorePrivilege are among the ones that trigger the high mandatory
> level? Anything more we should know about that?
By simply trying them out, I created a list of the privileges which
trigger the high integrity level requirement. See, for instance,
http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_helper.cc.diff?r1=1.93&r2=1.94&cvsroot=src&f=h
For the security related change, see the second patch snippet in
http://sourceware.org/cgi-bin/cvsweb.cgi/src/winsup/cygwin/sec_auth.cc.diff?r1=1.41&r2=1.42&cvsroot=src&f=h
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple