This is the mail archive of the
mailing list for the Cygwin project.
Re: how su works with no suid
- To: cygwin <cygwin at sources dot redhat dot com>
- Subject: Re: how su works with no suid
- From: Corinna Vinschen <vinschen at cygnus dot com>
- Date: Wed, 13 Sep 2000 09:46:13 +0200
- References: <GHAPKPJLPBGGCAAA@my-deja.com>
- Reply-To: cygwin <cygwin at sources dot redhat dot com>
> ok, let me ask it a different way...
> if I do an 'su - guest' it does not ask for password but just gives
> 'su: cannot set user id: Not owner'
Take a look into the sources of, say, `login'. You will see that you
need extra effort to get an user token from windows to be able to use
Documentation is available as well. It's currently not in the online
docs but if you download the sources of cygwin, you will find it in
`winsup/doc/ntsec.sgml', chapter "New setuid concept".
> in the end, i am trying to come up with an sshd version that installs as a service, uses rsa, etc...
There's already a ported working sshd. See that message:
It provides RSA as long as you try to login as the owner of the sshd
You will not be able to provide RSA authentication which will switch
the user context without writing your own LSA authentication or
> --- here is some more detail about the problem.
> I am logged into nt as my nt-domain user that has local nt-admin rights.
> su and some other programs make a call to setuid or seteuid. In normal unix, the file 'su' is chmod to 4755 which is -rwsr-xr-x. There is no implementation of "set user execution bit on"
That's right. And if you want to switch the user context in NT
you'll have to stand on your head. You'll have to provide the
password which has to be given to a nt specific logon function
("LogonUser()" which is wrapped by Cygwin's "cygwin_logon_user()")
to get a so called "access token" which has to be used to impersonate
the user by calls to "ImpersonateLoggoedOnUser()" (wrapped by
cygwin_set_impersonation_token()") or "CreateProcessAsUser()" (wrapped
by "execve()"). See source of login for a simple example:
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:email@example.com
Red Hat, Inc.
Want to unsubscribe from this list?
Send a message to firstname.lastname@example.org