admin privileges when logging in by ssh?

Corinna Vinschen
Sat Oct 15 17:12:00 GMT 2011

On Oct 14 21:14, Corinna Vinschen wrote:
> On Oct 14 20:23, Corinna Vinschen wrote:
> > On Oct 14 11:18, Andrew Schulman wrote:
> > > So the difference AFAICT is the membership in the Administrators group.
> > > Notice also in the two listings below, that by password authentication,
> > > backup gets
> > > 
> > > Mandatory Label\High Mandatory Level
> > > 
> > > while by pubkey, he gets
> > > 
> > > Mandatory Label\Medium Mandatory Level
> > > 
> > > whatever those are.
> > 
> > That's an UAC thingy.  Keep in mind that Cygwin has to create the user
> > token from scratch here, given that you are using passwored-less setuid
> > method 1
> > (per 
> > I'm not aware of a method to fetch the mandatory level SID a user is
> > supposed to get, so what Cygwin does is simply to base the mandatory
> > level SID on the membership in the admins group.
> > 
> > As for the missing privileges, they are not missing in the user token,
> > they are just disabled:
> > [...]
> > But even then, if the backup/restore privileges are disabled, it shouldn't
> > matter in Cygwin.  Cygwin enables both privileges right at process startup.
> > 
> > Having said that, I have no idea why the privileges are disabled in your
> > token.  The good news is that I can reproduce the behaviour on a Windows
> > 2008 R2 box with a normal domain user account, which got explicit backup
> > and restore rights.
> > 
> > I don't know why this occurs when using password-less setui method 1,
> > this is something which I have to debug yet.
> I just debugged this and now I know why this happens.   The problem
> is the aforementioned Mandatory Label.  A user token which has medium
> mandatory level can not enable these privileges, even if they are in
> the user token.  If I create the token with high mandatory level,
> it's no problem to enable the backup/restore permissions at process
> startup.
> However, I don't think it's a good idea to set the high mandatory level
> on a token unconditionally.  This should only be done if the token
> contains certain privileges.  The problem now is to find out which
> permissions are affected by this.  I don't see any list of privileges
> on MSDN in terms of UAC restriction.  Oh well, no pain, no gain.

I applied a patch to CVS which should solve this problem in a generic
way.  I observed how Windows handles the privileges when creating a
token and your scenario should be nicely covered now.  I also dropped a
somewhat dangerous behaviour in terms of security when creating a token
from scratch.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list