This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: rshd chdirs before it sets uid and gid???


On Fri, Oct 05, 2001 at 03:40:45PM -0400, John Peacock wrote:
>Peter Buckley wrote:
>> 
>> I was looking at the source (rshd.c) and it
>> seems backwards in the way it goes about doing
>> things. It is trying to chdir to the remote
>> user's home directory before it switches user
>> context. That doesn't make sense- I thought
>> the point of rsh was that *you* were supposed
>> to be *you* and not system or root or anyone
>> else.
>
>Remember that rshd was written for the *nix world and only _ported_ 
>to CygWin.  Remember also that CygWin has only relatively recently
>adopted NT security (and it still has to run under W98).
>
>> 
>> This is how I understand what it is doing,
>> please correct me if I am wrong.
>> 
>> First, it checks if it is able to chdir to
>> the home directory of the remote user-
>> 
>> if (chdir(pwd->pw_dir) < 0) {
>> (void) chdir("/");
>> #ifdef __CYGWIN__
>> syslog(LOG_INFO|LOG_AUTH,
>>     "%s@%s as %s: no home directory. cmd='%.80s'",
>>     remuser, hostname, locuser, cmdbuf);
>> error("No remote directory.\n");
>> exit(1);
>> #endif
>> }
>> 
>> Then if CYGWIN is defined, it just exits?????
>> Telnet does NOT do this, it just chdirs to "/"
>> and allows you to continue.
>
>That is why telnet is not considered to be a secure program (and other
>reasons).  Consider if somehow someone managed to log in as an account 
>that does not have a home directory on purpose (like most service 
>accounts); Since CygWin's security until very recently has been 
>Microsoft's (which is to say none at all), someone could wreak havoc 
>on a machine, just given that they can log in.
>
>This is a security feature, not a bug, IMHO, and should not be 
>changed.  Only after the cd should the setgid/uid be performed (which 
>had no real meaning/effect until 'ntsec' was perfected and still has
>no meaning under non-NTFS disks).
>
>> 
>> I am running into this problem because SYSTEM
>> doesn't have rights to my home directory.
>> 
>> It seems that the following bit of code should
>> come BEFORE the chdir stuff, so SYSTEM doesn't need
>> to have rights to EVERY user's home directory.
>
>System is an NT artifact; it is supposed to be used for services that
>require very little external rights (like to the filesystem) and to
>have special internal rights (like act as part of the O/S).  rshd is
>still based in the *nix world where services are run as root until 
>they drop to user levels (for things like rshd and sshd).
>
>Run rshd as an admin equivalent and everything will work fine.  Better
>yet, run sshd and delete rshd entirely.

Maybe I'm missing something but I think the original point is well taken.
It seems more secure to me to do the change of user context first and then
the cd.  I can't see what that hurts.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]