This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)


On Mon, Oct 29, 2001 at 07:48:44AM -0500, Jason Tishler wrote:
> Corrina,

s/rrin/rinn

> Nevertheless, I now better understand why chown was not working under
> ssh via key exchange:
> 
> $ ssh tishlmob2d1m701 id
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> Note that Windows does not think that I am in the local Administrators
> group.  Hence, I'm not able to chown, net start/stop, etc.
> 
> But, if I ssh via password exchange:
> 
> $ ssh -1 tishlmob2d1m701 id
> jtishler@tishlmob2d1m701's password: 
> uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)
> 
> then Windows does.  Why?  Unfortunately, I don't (currently) know.

Hmm, Dunno.  That's sort of a leak in the create_token() code in
security.cc but I don't see how that can happen.  When performing
a password login, the user token is created by Windows itself while
in case of pubkey authentication I have to create the new token by
myself.

Jason, you are working on Cygwin code so you could take a look into it.

Let's begin in create_token() itself, line 761 calls get_group_sidlist()
which creates a list of SIDs of all groups the user is a member of.
In get_group_sidlist(), line 518 I'm calling get_user_groups() to
retrieve the list of global (domain) groups, followed by a call to
get_user_local_groups(), line 519, which retrieves the list of local
groups the user is member of.  To do that, the function NetUserGetGroups()
is used for getting the list of global groups.

To get all local groups, first NetLocalGroupEnum() is called and then
(in function is_group_member()) for all local group I'm calling
NetLocalGroupGetMembers() to check if either the user is a direct
member of that local group or one of his global groups is member of
that local group.  This way, all groups of the user should have been
retrieved.

Do you (or does anybody) see an error here?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]