[ssh-l] Running commands under the SYSTEM account ?

Tony Hoyle tmh@nothing-on.tv
Wed Oct 17 15:53:00 GMT 2001


Terris wrote:

> I don't understand why creating a token
> as SYSTEM doesn't work.  I read the email
> you pointed me to and I still don't get it.
> If sshd uses NtCreateToken, it should work.
> 
> The CVS server CVSNT calls NtCreateToken 
> as the SYSTEM user.  The CVSNT service
> runs under the local SYSTEM account.  It works.  
> 


Yes this should work.  cvsnt uses NtCreateToken, followed
by ImpersonateUser().  This works as far as it goes.  However 
impersonation does not work over network shares (this is part of NT 
security - Win2k has a way around it but it isn't well documented) so 
the account isn't precisely the same as the original.

You have to be careful that when you create the token you duplicate the 
correct access token as exactly as possible (so you don't give 
joe-random-user Administrator access).  The code in cvsnt does this, and 
I believe cygwin does the same or similar.

Creating a shell from this impersonated account should work exactly the 
same as if LogonUser had been used.  cvsnt creates processes as part of 
its commit procedure, and it's important that these run as the user, for 
security reasons (Whilst working on the code for cvsnt I tested by 
creating a token, then using LogonUser and comparing them.  They are 
identical tokens in all cases I checked).

Tony


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list