From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 102913 invoked by alias); 9 Feb 2016 06:43:15 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 102892 invoked by uid 89); 9 Feb 2016 06:43:14 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=H*R:D*cygwin.com, win7, Win7, Hx-languages-length:1371 X-HELO: resqmta-po-12v.sys.comcast.net Received: from resqmta-po-12v.sys.comcast.net (HELO resqmta-po-12v.sys.comcast.net) (96.114.154.171) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Tue, 09 Feb 2016 06:43:13 +0000 Received: from resomta-po-05v.sys.comcast.net ([96.114.154.229]) by resqmta-po-12v.sys.comcast.net with comcast id G6j51s0054xDoy8016jCUx; Tue, 09 Feb 2016 06:43:12 +0000 Received: from HOME1 ([24.18.54.164]) by resomta-po-05v.sys.comcast.net with comcast id G6jB1s00L3YafjL016jBFh; Tue, 09 Feb 2016 06:43:12 +0000 Reply-To: From: "David Willis" To: Subject: Possible Security Hole in SSHD w/ CYGWIN? Date: Tue, 09 Feb 2016 06:43:00 -0000 Message-ID: <016c01d16305$252c94c0$6f85be40$@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-SW-Source: 2016-02/txt/msg00101.txt.bz2 Hello, I noticed that when connecting via SSH to a CYGWIN-based SSHD server, if the user connects to a network share (i.e. they CD to the share UNC path in the BASH/CYGWIN shell), they get connected as the privileged server user account created for privilege separation when SSHD is configured w/ ssh-host-config. In other words, they have the rights of that account, and if that account happens to be a domain admin (or even a local admin on the box hosting the share), that user has full admin rights on that share, when in fact they should have the rights assigned to the user account they SSH'd in with. To reproduce, connect via SSH (from either a Linux or CYGWIN/Windows client) to a CYGWIN-based SSHD server using a normal privileged user account (an account preferably that is not an admin either on the client or server machine). Once connected to the Windows SSHD server, CD to a UNC path of a network share. Once CD'd to that path, check Computer Management on that server, and go to Shares->Open Sessions, and you will see that the user connected is the privileged SSHD server account (and it will obviously show as being connected from the machine you are SSH'd into). Anyone else ever notice this before? Running OpenSSH v7 BTW, SSH client is Win7, SSH server Win7, file share server Win2008R2 Thanks, David -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple