This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Windows 2003

From: "Pierre A. Humblet" <Pierre dot Humblet at ieee dot org>
To: cygwin-developers at cygwin dot com
Date: Thu, 10 Jul 2003 17:05:55 -0400
Subject: Re: Windows 2003
References: <3F0D9FE1.35A19110@ieee.org> <20030710184354.GA12368@cygbert.vinschen.de> <20030710184629.GB12368@cygbert.vinschen.de>


Corinna Vinschen wrote:
> 
> On Thu, Jul 10, 2003 at 08:43:54PM +0200, Corinna Vinschen wrote:
> > On Thu, Jul 10, 2003 at 01:18:25PM -0400, Pierre A. Humblet wrote:
> > > Corinna,
> > >
> > > judging from your recent post on the list you have new
> > > info on the Create Token privilege of SYSTEM on 2003.
> >
> > That's info from a MS newsgroup.  I've tested on a 2003 Server and it
> > turns out that processes started from cygrunsrv under system account
> > have no CreateToekn permission in their access token.
> >
> > > If I understand it correctly, the only way out is to
> > > run under a new privileged account. Correct?
> >
> > When using NTCreateToken, I guess the answer is yes.
> >
> > > Should we introduce some means to determine if a
> > > process can setuid, e.g. a new value for cygwin_internal(),
> > > checking membership in Admins and having enough
> > > privileges?
> >
> > Not yet.  First it should work *at all*.  I've created an account with
> > all necessary rights including createtoken.  I've checked that services
> > started under that account still have createtoken in their access token.
> > I've tried running sshd from the command line as well as as service.
> > I couldn't start any application when switching user context using
> > createtoken.  The context switch is done and then CreateProcess fails
> > with error 3: "The system cannot find the path specified."  I've
> > checked all permissions, I've set all permissions to 777, to no avail.
> > I'm not able to start *any* application.  This is most frustrating.
> 
> Sorry, I got that wrong:  Even using password authentication the
> CreateProcess(C:\cygwin\bin\bash.exe,...) fails.  Urgh!
 
I just reread the CreateProcessAsUser page. We do a RevertToSelf, so
we access the executable image in the security context of the caller.
Accessing C:\cygwin\bin\bash.exe isn't the issue, the error message 
must be about some other path...

Have a look at http://www.cygwin.com/ml/cygwin/2003-06/msg00500.html
ssh with password authentication worked (top of message).
Strangely (middle of the message) he was unable to do a passwordless
"telnet system", although no token creation takes place there.
 
I am still hopeful it's something simple...

Pierre

Follow-Ups:
- Re: Windows 2003
  - From: Pierre A. Humblet
- Re: Windows 2003
  - From: Corinna Vinschen

References:
- Windows 2003
  - From: Pierre A. Humblet
- Re: Windows 2003
  - From: Corinna Vinschen
- Re: Windows 2003
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]