From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 52530 invoked by alias); 9 Feb 2016 15:56:23 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 52495 invoked by uid 89); 9 Feb 2016 15:56:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.7 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.2 spammy=thru, cygwin-ug-net, cygwinugnet, navigate X-HELO: resqmta-po-10v.sys.comcast.net Received: from resqmta-po-10v.sys.comcast.net (HELO resqmta-po-10v.sys.comcast.net) (96.114.154.169) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Tue, 09 Feb 2016 15:56:18 +0000 Received: from resomta-po-17v.sys.comcast.net ([96.114.154.241]) by resqmta-po-10v.sys.comcast.net with comcast id GFvv1s0095Clt1L01FwGbV; Tue, 09 Feb 2016 15:56:16 +0000 Received: from HOME1 ([24.18.54.164]) by resomta-po-17v.sys.comcast.net with comcast id GFwF1s00d3YafjL01FwGbf; Tue, 09 Feb 2016 15:56:16 +0000 Reply-To: From: "David Willis" To: References: In-Reply-To: Subject: RE: Possible Security Hole in SSHD w/ CYGWIN? Date: Tue, 09 Feb 2016 15:56:00 -0000 Message-ID: <018801d16352$68a6b940$39f42bc0$@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-SW-Source: 2016-02/txt/msg00117.txt.bz2 Sorry for starting a new thread w/ the reply, forgot to subscribe before posting my question yesterday... Thanks for getting back so quickly Yes, I have read that page pretty much from top to bottom, and as far as I know I have configured sshd and the user accounts correctly. I have a non-privileged, disabled account named "sshd", as well as a privileged account called "cyg_server". Privilege separation seems to be working fine - i.e. when the request for a connection comes in the process is running as "sshd", then it spawns a privileged process running as "cyg_server" once the user is authenticated. However no I am not logging in with a password; I have setup public key authentication. And the user I'm being connected as (as seen from the file share server) is not the "sshd" user account, it is the privileged "cyg_server" user account. Although that account has no rights to logon interactively or thru Terminal Services, it is a privileged account on the file server (because the file server is also running CYGWIN and thus must allow privileged rights to that account as well). I should clarify that in my case, cyg_server is a domain account (not a local account). And the way I can verify, is that I have a folder on that share that the user I am authenicating as does not have rights do view, but cyg_server does (because Administrators on that server do), and when I connect as my user via SSHD to any one of my other machines on the domain running CYGWIN, I can then navigate to and read the contents of that file share when I shouldn't be able to. If I try to do the same thing, from the same account, but on my machine locally without connecting to any other CYGWIN SSH server, I get a "Permission denied", which is what I would expect. Thank you for your help on this. David ---------------------------------------------------------------------------- -------------------------- Did you read https://cygwin.com/cygwin-ug-net/ntsec.html, configured sshd and the user accounts correctly and are logging in with a password using either of the methods described? FWIW, I'm seeing the connected user as the one that I logged into via ssh. In fact the sshd user account doesn't have any network access rights anyway, so I couldn't connect to any network share if that acount would be used. Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple