New subdirectory in winsup

Corinna Vinschen vinschen@redhat.com
Mon May 7 10:24:00 GMT 2001


On Mon, May 07, 2001 at 11:56:02AM -0500, Parker, Ron wrote:
> > Then be sure to have an account with the SE_TCB_NAME "Act as part
> > of the operating system" privilege active since it's needed to
> > be able to contact the LSA subsystem which manages the user
> > authentication in NT/W2K. That right is by default only given to
> > LocalSystem. That's of course no advice to always create such an
> > account but it's only for testing purposes!
> 
> Am I understanding properly that this privilege must be added to the user's
> log in account?  If so, it seems to me that this would possibly introduce
> some further security issues.

If user A (say, root) wants to `su' to a user account B (say, ronald
mc donald), then user A needs SE_TCB_NAME privilege. But as I already
told in my description, I don't recommend to do that. It's a good
thing to just start sshd under LocalSystem account or another special
`sshd' account with that privilege to use RSA/DSA authentication to
logon to the system. Sshd is running as root on U*X system for exactly
that reason.

> A few years ago I created an "su" program that I use for various purposes on
> Windows NT/2000.  It has a service that is run under an account that has
> that privilege and a few others.  The service is an OLE server and can be
> called from any application with a user's name and password as well as the
> name of a program to be executed.  The service then impersonates the
> requested user and executes the application.  This avoids giving the user's
> account a privilege that IMO is dangerous.

I never recommended to do that. Not every user may change user
context. It's the decision of the admin to allow or disallow
that.

> I would recommend incorporating such functionality into a daemon like what I
> understand Egor was working on.

An extra service routine would never allow to just fork a
process. That would for example require to change various
parts of sshd to work. With the subauth DLL, sshd could
work as it's own service as described above.

> I have one question.  Has anyone figured out a way in Windows to allow root
> to "su username" without knowing the users password?

That's exactly the problem my subauthentication DLL solves. It
provides a way to logon without password. Unfortunately there's
no way in NT/W2K to do that if you don't have the SE_TCB_NAME
or the SE_CREATE_TOKEN_NAME privilege. Interesting enough, _if_
you have SE_TCB_NAME privilege, that allows nevertheless changing
user context only if you know the password.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-developers mailing list