This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: The eternal uid issue


On 7/24/2014 5:42 PM, D. Boland wrote:
> Hi Corinna,
> 
> Corinna Vinschen wrote:
>> But be careful.  Just because there are multiple users with admin
>> permissions, that doesn't mean they all want their mail in the same
>> mailbox for user 0...

Things are actually worse than Corinna and others have described.  The
SYSTEM account is a built-in local machine account that by default is
granted certain permissions but those permissions are configurable.

There is a built-in Administrator account which everyone is taught to
never use

There are two default groups "Administrators" and "Domain
Administrators" whose members are considered to be administrators but
whose logon sessions run in a restricted mode which is tighter in many
regards than standard users UNLESS the process running as that user is
granted "elevated" access.

Simply working off the user's SID or GIDs to make decisions are often
going to result in failures that appear to your users as unpredictable.

> Thanks for the overloading code. I already tested it. Now I can leave the Sendmail
> code (almost) unchanged. Thanks also for the time you put into this. I hope the
> RedHat people pay you well.
> 
> I have Sendmail ready to be released, but only the 'crude' version (running as an
> admin user). I'd like to go for the preferred solution (starting as admin, switching
> to unprivileged). The uid issue is sorted. But to get it there, I have one final
> problem to solve.

On all modern versions of Windows the accounts that are members of the
Administrators and Domain Administrators accounts are going to run
unprivileged.

In the Windows world background daemons (aka services) should be
assigned their own service account that is granted the minimum set of
privileges required.   Windows permissions are much more fine grained
than POSIX and this gives you a great deal of control.

Shedding privileges can be done by a privileged process by replacing its
process (or thread access tokens) with a more restricted version.

> Sendmail checks if the user's home directories are group- or world writable. It does
> this with 'stat'. If Sendmail is running in 'crude' mode (main program and children
> running as the Sendmail 'smmsp' user, made admin), stat returns the right file mode
> for my home directory (rwxr-xr-x). The email is delivered.

On Windows file systems (as with many UNIX network file systems, think
AFS as one example) the UNIX mode is not going to have much value.
What matters are the entries in the access control list and that is what
should be checked and manipulated.   Cygwin can't turn a non-POSIX file
system into a POSIX file system no matter how hard it tries.

> If I have Sendmail running in preferred mode (main program as cyg_server, children
> running as 'smmsp', removed from admin group), stat returns the wrong mode
> (rwxrwxrwx). As a consequence, Sendmail refuses to deliver email.

The UNIX mode cannot describe the fine grained permissions of the access
control language for the file system.

> Can I do anything about this?

Other members of this group might have some additional suggestions on
how to remove checks but if you really want secure delivery of e-mail on
a Windows file system you will need to write code that is capable of
understanding the capabilities of the file system.  Just as you would on
UNIX if the home directory was in a network file system that relied upon
GSS/Kerberos network credentials and Access Control Lists instead of
UNIX mode for access control.

Jeffrey Altman


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]