Resurrecting subauth

Corinna Vinschen
Fri Jul 14 13:07:00 GMT 2006

Yes, you're reading right.

Following up on this discussion from back in 2002:
Wow, 3 1/2 years ago...

Unfortunately the discussion died down without a result.  Along the same
lines as stopping 9x support, I think it's time to resurrect the
subauthentication stuff.  It's tested on 2K, XP and 2K3 and it works on
all three systems.  I did no test on Vista and 64 bit XP/2K3, but right
now I don't really care.  NT4 is basically a dead fish as well, so I
do care even less.  For these cases we still have create_token, so what?

The advantage of subauthentication is clear, I guess:  Native Windows
process will see the correct user name.  I got a report about a native
cvs which creates all files owned by the SYSTEM user, when contacted
through a Cygwin ssh session.  People, including the OpenSSH developers
are concerned that this is a security hole.  As we know, it isn't, but
it stays tricky to explain, right?  Besides, it is very annoying.

The disadvantage of subauthentication is that it's a potential security
hole in itself since it allows a knowledgable process to get a token of
any enabled user account.  However, this is just a theoretical security
hole, since the process needs SeTcbPrivileges to do that, and a process
having SeTcbPrivileges already *has* privileged access and can get what
it wants quite easily anyway.  It doesn't need subauth for that.

So, I implemented Hartmut's idea of calling subauth first.  If subauth
fails, the code just falls back to create_token.  In contrast to
Hartmuts suggestion, I call create_token not only if verify_token fails,
but always.  The reason is 2K3.  The tools in /WINDOWS/system32 as, for
instance, net.exe, have the following ACLs:

  Administrators: FullControl
  BATCH:          Read&Execute
  INTERACTIVE:    Read&Execute
  SERVICE:        Read&Execute
  SYSTEM:         Full Control
Unfortunately, none of these groups is in the user token of an
unprivileged user login in through subauthentication.  The user has only
the NETWORK group membership (talking about only the special groups).
Therefore it's necessary to recreate the token so that the user is at
least member of the INTERACTIVE group.

The subauth module itself still builds (and works) fine with just a tiny
change to the Makefile.

The above is implemented in the cv-branch for further inspection.

Any comments on this?  Suggestions to change the method in some way?

What's *really* missing is a script which installs the cygsuba.dll into
c:/windows/system32/ and adds the registry key:

HKLM/SYSTEM/CurrentControlSet/Control/Lsa/MSV1_0/Auth255 REG_SZ:"CYGSUBA"

Also, to get it working on 2k3, the privileged user (for instance
sshd_server) requires SeTcbPrivileges, otherwise subauthentication
fails.  This would also be something the script could fix.

This script should not run automatically, of course.  The user must
decide by him- or herself if it wants to get something installed into

Is anybody here who wants to take a stab at creating this script?

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-developers mailing list