New subdirectory in winsup

Corinna Vinschen
Mon May 7 10:24:00 GMT 2001

On Mon, May 07, 2001 at 11:56:02AM -0500, Parker, Ron wrote:
> > Then be sure to have an account with the SE_TCB_NAME "Act as part
> > of the operating system" privilege active since it's needed to
> > be able to contact the LSA subsystem which manages the user
> > authentication in NT/W2K. That right is by default only given to
> > LocalSystem. That's of course no advice to always create such an
> > account but it's only for testing purposes!
> Am I understanding properly that this privilege must be added to the user's
> log in account?  If so, it seems to me that this would possibly introduce
> some further security issues.

If user A (say, root) wants to `su' to a user account B (say, ronald
mc donald), then user A needs SE_TCB_NAME privilege. But as I already
told in my description, I don't recommend to do that. It's a good
thing to just start sshd under LocalSystem account or another special
`sshd' account with that privilege to use RSA/DSA authentication to
logon to the system. Sshd is running as root on U*X system for exactly
that reason.

> A few years ago I created an "su" program that I use for various purposes on
> Windows NT/2000.  It has a service that is run under an account that has
> that privilege and a few others.  The service is an OLE server and can be
> called from any application with a user's name and password as well as the
> name of a program to be executed.  The service then impersonates the
> requested user and executes the application.  This avoids giving the user's
> account a privilege that IMO is dangerous.

I never recommended to do that. Not every user may change user
context. It's the decision of the admin to allow or disallow

> I would recommend incorporating such functionality into a daemon like what I
> understand Egor was working on.

An extra service routine would never allow to just fork a
process. That would for example require to change various
parts of sshd to work. With the subauth DLL, sshd could
work as it's own service as described above.

> I have one question.  Has anyone figured out a way in Windows to allow root
> to "su username" without knowing the users password?

That's exactly the problem my subauthentication DLL solves. It
provides a way to logon without password. Unfortunately there's
no way in NT/W2K to do that if you don't have the SE_TCB_NAME
or the SE_CREATE_TOKEN_NAME privilege. Interesting enough, _if_
you have SE_TCB_NAME privilege, that allows nevertheless changing
user context only if you know the password.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                      
Red Hat, Inc.

More information about the Cygwin-developers mailing list