Re: Windows 2003

[Corinna Vinschen <vinschen at redhat dot com>]

On Thu, Jul 10, 2003 at 01:18:25PM -0400, Pierre A. Humblet wrote:
> Corinna,
> 
> judging from your recent post on the list you have new 
> info on the Create Token privilege of SYSTEM on 2003.

That's info from a MS newsgroup.  I've tested on a 2003 Server and it
turns out that processes started from cygrunsrv under system account
have no CreateToekn permission in their access token.

> If I understand it correctly, the only way out is to
> run under a new privileged account. Correct?

When using NTCreateToken, I guess the answer is yes.

> Should we introduce some means to determine if a 
> process can setuid, e.g. a new value for cygwin_internal(),
> checking membership in Admins and having enough
> privileges?

Not yet.  First it should work *at all*.  I've created an account with
all necessary rights including createtoken.  I've checked that services
started under that account still have createtoken in their access token.
I've tried running sshd from the command line as well as as service.
I couldn't start any application when switching user context using
createtoken.  The context switch is done and then CreateProcess fails
with error 3: "The system cannot find the path specified."  I've
checked all permissions, I've set all permissions to 777, to no avail.
I'm not able to start *any* application.  This is most frustrating.

If that doesn't work at all, we don't have to care for the root user.
Instead we would have to switch to LsaLogonUser, either by using and
probably refurbishing the existing subauth code or by writing an
entirely new LSA authentication module (though I still don't know how
to do it and still never saw any example code).

I know it sounds paranoid but somehow I'm thinking that Microsoft exactly
knows what non-MS software will stop working on 2003 :-(((

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.