Corinna Vinschen
2019-Feb-20 12:07 UTC
[PATCH v2] Cygwin: rel 3.0 drops requirement for privileged non-SYSTEM account
Seteuid now creates user token using S4U. We don't create a token
from scratch anymore, so we don't need the "Create a process
token"
privilege. The service can run under SYSTEM again.
---
contrib/cygwin/ssh-host-config | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index cc36ea102f42..a8572e2ac879 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -394,14 +394,24 @@ install_service() {
then
csih_get_cygenv "${cygwin_value}"
- if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" =
"yes" ] )
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
then
- csih_inform "On Windows Server 2003, Windows Vista, and above, the"
- csih_inform "SYSTEM account cannot setuid to other users -- a
capability"
- csih_inform "sshd requires. You need to have or to create a
privileged"
- csih_inform "account. This script will help you do so."
- echo
+ # Enforce using privileged user on 64 bit Vista or W7 under WOW64
+ is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1
|| echo 0)
+ if ( csih_is_nt2003 && ! csih_is_windows8 && [
"${is_wow64}" = "1" ] )
+ then
+ csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows
7"
+ csih_inform "the SYSTEM account is not sufficient to setuid to a
local"
+ csih_inform "user account. You need to have or to create a
privileged"
+ csih_inform "account. This script will help you do so."
+ echo
+ csih_FORCE_PRIVILEGED_USER=yes
+ fi
+ fi
+
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ then
[ "${opt_force}" = "yes" ] && opt_f=-f
[ -n "${user_account}" ] && opt_u="-u
""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
@@ -412,11 +422,12 @@ install_service() {
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
+ # Never returns empty if NT or above
+ run_service_as=$(csih_service_should_run_as)
+ else
+ run_service_as="SYSTEM"
fi
- # Never returns empty if NT or above
- run_service_as=$(csih_service_should_run_as)
-
if [ "${run_service_as}" =
"${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
--
2.20.1
Corinna Vinschen
2019-Feb-20 12:25 UTC
[PATCH v3] Cygwin: rel 3.0 drops requirement for privileged non-SYSTEM account
Seteuid now creates user token using S4U. We don't create a token
from scratch anymore, so we don't need the "Create a process
token"
privilege. The service can run under SYSTEM again...
...unless Cygwin is running on Windows Vista or Windows 7 in the
WOW64 32 bit emulation layer. It turns out that WOW64 on these systems
didn't implement MsV1_0 S4U Logon so we still need the fallback
to NtCreateToken for these systems.
Signed-off-by: Corinna Vinschen <vinschen at redhat.com>
---
contrib/cygwin/ssh-host-config | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index cc36ea102f42..a8572e2ac879 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -394,14 +394,24 @@ install_service() {
then
csih_get_cygenv "${cygwin_value}"
- if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" =
"yes" ] )
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
then
- csih_inform "On Windows Server 2003, Windows Vista, and above, the"
- csih_inform "SYSTEM account cannot setuid to other users -- a
capability"
- csih_inform "sshd requires. You need to have or to create a
privileged"
- csih_inform "account. This script will help you do so."
- echo
+ # Enforce using privileged user on 64 bit Vista or W7 under WOW64
+ is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1
|| echo 0)
+ if ( csih_is_nt2003 && ! csih_is_windows8 && [
"${is_wow64}" = "1" ] )
+ then
+ csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows
7"
+ csih_inform "the SYSTEM account is not sufficient to setuid to a
local"
+ csih_inform "user account. You need to have or to create a
privileged"
+ csih_inform "account. This script will help you do so."
+ echo
+ csih_FORCE_PRIVILEGED_USER=yes
+ fi
+ fi
+
+ if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ then
[ "${opt_force}" = "yes" ] && opt_f=-f
[ -n "${user_account}" ] && opt_u="-u
""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
@@ -412,11 +422,12 @@ install_service() {
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
+ # Never returns empty if NT or above
+ run_service_as=$(csih_service_should_run_as)
+ else
+ run_service_as="SYSTEM"
fi
- # Never returns empty if NT or above
- run_service_as=$(csih_service_should_run_as)
-
if [ "${run_service_as}" =
"${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
--
2.20.1
Corinna Vinschen
2019-Feb-20 12:25 UTC
[PATCH v2] Cygwin: rel 3.0 drops requirement for privileged non-SYSTEM account
On Feb 20 13:07, Corinna Vinschen wrote:> Seteuid now creates user token using S4U. We don't create a token > from scratch anymore, so we don't need the "Create a process token" > privilege. The service can run under SYSTEM again.The commit message isn't quite right, V3 of the patch is forthcoming. Sorry, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190220/cabae273/attachment.asc>