This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: openssh: privilege separation no longer supported on Cygwin?
On 2017-05-31 13:52, Marco Atzeri wrote:
> On 29/05/2017 11:48, Houder wrote:
>> On 2017-05-29 10:39, Marco Atzeri wrote:
>>> On 29/05/2017 07:23, Houder wrote:
>>
>> [snip]
>>>> ... because, that is, I think, what I am seeing:
>>>>
>>>> - the userid of child sshd is still 'cyg_server' ...
>>>> - and I get an elevated shell when I login ...
>>>>
>>>> Not what I expected ...
>>>>
>>>> Gr. Henri
>>>>
>>>
>>> Hi Houder,
>>> please read the last Announcement
>>>
>>> https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html
>>
>> [snip]
>>> It seems you misunderstood the communication:
>>> - the possibility to NOT use "privilege separation" is deprecated
>>> - "privilege separation" will became mandatory
>>
>> Hi Marco,
>>
>> Sorry for the misunderstanding. Yes, to my knowledge, PS, privilege
>> separation, is now mandatory (using a new mechanism under Linux [1]).
>>
>> [1] sandboxing?
>>
>> Because of PS, I expect to see an UNprivileged sshd process talking
>> to the user process (where the ssh command has been executed).
>>
>> But above all, I expect an UNelevated shell when I login in ...
>>
>> However, what I get after login (after providing my credentials) is
>> an ELEVATED shell (yes, Administrators is part of the group set).
>
> Is your user a member of Administrators ?
>
>>
>> Now I wonder if this happens because I do NOT observe PS.
>>
>> Look below, please ... After executing the ssh command, ssh asks for
>> my credentials ... in stead of providing my credentials, I execute
>> the ps command in a second terminal. To my surprise, the grandchild
>> of the listener is executed using "cyg_server" and not "sshd" ...
>>
>> Currently, I am looking at:
>>
>> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>
>> Regards,
>> Henri
>>
>
> on my system as reported by lusrmgr.msc
> cyg_server is a privileged user member of Administrators
> sshd is a normal user as expected reading ssh-host-config.
>
> The cyg_server account can setuid to other users
> otherwise you can not change user id:
>
> $ pstree -u
> ?─┬─cygrunsrv(cyg_server)───sshd───sshd───bash(marco)───pstree
> ├─mintty(marco)───bash───ssh
> └─mintty(marco)───bash
You might want to look at the UG NT Security section on using LSA and
passwd -R to impersonate unprivileged userids.
Normally sshd is set up using the cyg_server account by ssh-host-config:
run cygrunsrv with -VQ (-QV doesn't work) to see most settings e.g.
$ cygrunsrv -VQ sshd
Service : sshd
Display name : CYGWIN sshd
Current State : Running
Controls Accepted : Stop, Preshutdown
Command : /usr/sbin/sshd -D
stdin path : /dev/null
stdout path : /var/log/sshd.log
stderr path : /var/log/sshd.log
Process Type : Own Process
Startup : Automatic
Dependencies : cygserver, tcpip
Account : .\cyg_server
you can also check the Windows view with:
$ sc qc sshd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: sshd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\...\cygwin64\bin\cygrunsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CYGWIN sshd
DEPENDENCIES : cygserver
: tcpip
SERVICE_START_NAME : .\cyg_server
and I have a script that lists all service registry settings for
checking, and works with all Windows services, not just Cygwin services
started by cygrunsrv:
$ scqc.sh sshd
sshd DelayedAutostart 1
sshd DependOnService cygserver tcpip
sshd DisplayName CYGWIN sshd
sshd ErrorControl 1
sshd ImagePath C:\...\cygwin64\bin\cygrunsrv.exe
sshd ObjectName .\cyg_server
sshd Parameters AppPath AppArgs Preshutdown
sshd Start 2
sshd Type 16
sshd Parameters/AppArgs -D
sshd Parameters/AppPath /usr/sbin/sshd
sshd Parameters/Preshutdown 1
enabling you to easily see what service settings to change using sc or
registry commands like Cygwin regtool or Windows reg, as cygrunsrv does
not support all sc settings, or dynamic changes, only -R remove and -I
install, which stops the service. Parameters is a standard subkey also
used by other non-Cygwin services.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple