Request for help debugging screen problem

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Feb 5 16:31:00 GMT 2010


On Feb  5 15:58, Shaddy Baddah wrote:
> On 5/02/2010 3:44 PM, Corinna Vinschen wrote:
> >>The issue is almost definitely related to the privilege model on
> >>these OSes, as as I expected, XP doesn't present with the same
> >>problem. It also does not present if I ssh into the unlocked
> >>Administrator account. It of course does present if logged into a
> >>Administrators grouped user account other than the standard
> >>Administrator user.
> >
> >Really?  The user token you're running under should be the elevated
> >admin token with full admin rights, at least as long as you have
> >logged in via ssh.  Hmm.  Except, if you have logged in via pubkey
> >authentication and you're using the user context switch method 1:
> >http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
> >In that case I don't know if the hand-crafted user token is really
> >accepted in terms of mandatory integrity tests, even though the token
> >contains the integrity SID.
> 
> I am logging using a password to an sshd configured using
> ssh-host-config. I login as a regular user only in the Users group,
> or an user in the Administrators group. Either way, the situation is
> the same. It is only as the true (unlocked) Administrator that I can
> reattach to screen sessions.

That makes sense.  In case of password logon, Cygwin is using the
exact token it gets back from the LogonUser function, not the
attached elevated token.  Hmm, I put that on my TODO list.  After
all, if I logon via ssh as admin user, I do that to do admin tasks,
so I want to run the session elevated.

> I thought it was common knowledge that logging in to an
> Administrtors grouped user in Vista or Windows 7 is not enough to
> defeat the (default) UAC, and you remain unelevated from a privilege
> standpoint. That is why I have no choice but to unlock the genuine
> Administrator (and rename it just in case).

No, that's not quite correct.  If you call LogonUser (or the cyglsa sort
of password-less authentication) successfully, the system returns the
non-elevated token as well as the elevated token as a so-called linked
token.  In case of pubkey authentication, Cygwin refers to the elevated
token and uses that to switch the user context.  In case of password
authentication it does not do that so far.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-developers mailing list