This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: [ssh-l] Running commands under the SYSTEM account ?
- To: cygwin at cygwin dot com
- Subject: Re: [ssh-l] Running commands under the SYSTEM account ?
- From: Corinna Vinschen <cygwin at cygwin dot com>
- Date: Thu, 18 Oct 2001 10:53:58 +0200
- References: <010601c15746$16aeb480$7e64a8c0@int.netacumen.com> <3BCDE821.1C046627@cportcorp.com> <000001c1574b$d21b9030$7e64a8c0@int.netacumen.com> <3BCDF32C.73DA4578@cportcorp.com> <01b701c1575b$37d8a570$7e64a8c0@int.netacumen.com> <3BCE0BED.7000702@nothing-on.tv>
On Wed, Oct 17, 2001 at 11:53:33PM +0100, Tony Hoyle wrote:
> Creating a shell from this impersonated account should work exactly the
> same as if LogonUser had been used.
No, there is a significant difference.
Using NtCreateToken() the process doesn't create a so-called
"Logon Session". A logon session has a unique logon identifier
(a LUID) which gets created by the LSA authentication module running
while logon authentication takes place. Since NtCreateToken()
doesn't call any LSA auth module, no logon session ID gets created.
To have a valid logon session ID nonetheless, the call to
NtCreateToken() has to use one of two "well-known" logon session
ID's, SYSTEM_LUID or ANONYMOUS_LOGON_LUID.
The next problem is that a authentication token contains invisible
information (from the GetTokenInformation() point of view). When
a user logs on using the `official' way (LogonUser is one of them),
that user has given credentials (password). These credentials are
saved in the created logon session to authenticate the user against
servers on the net and such stuff. Again, we have the problem that
no unique logon session has been created, so no credentials are stored
anywhere. If you try to `net use' a share the appropriate error
message is generated: "A specified logon session does not exist."
So everything is bound to creating a logon session.
To make that really clear:
**************************************************************************
* *
* I don't know any way to create a logon session outside of a lsa *
* authentication module. Even if I know the call which has to be used *
* from inside a LSA authentication module to create a logon session, *
* I don't know how to write a lsa authentication module. If anybody can *
* help out here we could probably create a technique to change user *
* context in Cygwin _with_ remote share access. *
* *
**************************************************************************
And:
**************************************************************************
* *
* Unless we don't have a method which creates a logon session without *
* the need to give a password, access to shares is restricted to either *
* public shares or to logon methods using a password (ssh w/ password, *
* telnet. *
* *
**************************************************************************
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/