Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master

Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master

[Houder]

Hi Corinna,

Maybe you are still around ... otherwise it will be for the next round.

During my exercise with sshd I was "forced" :-) to study the User Guide, as I
am not "well informed" :-P about the security model of Windows.

I am referring to this paragraph:

    https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
    (switching the user context)

To get a bit more acquainted with the stuff, I decided to try your example at
the beginning of this paragraph - i.e. the example in subparagraph "Switching
the user context WITH password authentication".

(I modified the example in order to make a bit more "exciting" -- see below)

64-@@# uname -a
CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin
64-@@# editrights -u Henri -l
SeLockMemoryPrivilege <==== no special? privileges ...

64-@@# ./setuid
Password:
BEFORE  uid = 1000,  gid =  513
BEFORE euid = 1000, egid =  513
AFTER   uid = 1004,  gid =  513
AFTER  euid = 1004, egid =  513
Surprise: execl() failed: : Operation not permitted
retval = -1
Should not be reached ...
64-@@#

First I tried adding SeTcbPrivilege ("extremely powerful", according to what I
read at MSDN). Logoff/Logon ...

That did not help. Got the same result. So, NOT that powerful ...

Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ...

64-@@# ./setuid
Password:
BEFORE  uid = 1000,  gid =  513
BEFORE euid = 1000, egid =  513
AFTER   uid = 1004,  gid =  513
AFTER  euid = 1004, egid =  513
sh-4.4$ id
uid=1004(jvdwater) gid=513(None) groups=513(None),545(Users),11(Authenticated Users)
sh-4.4$ exit
64-@@# 

It might be ?obvious? to an expert on Windows (after having searched through
MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required ...

That is, when one is going to invoke CreateProcessAsUser() ...

However, someone without that knowledge ...
Perhaps a small note to that effect (special privilege required!) in "Switching
the user context with password authentication" might help the 'innocent' reader.

Regards.
Henri

-----
setuid.c:

int
main()
{
    const struct passwd *user_pwd_entry = getpwnam ("jvdwater");
    const char *cleartext_password = getpass ("Password:");

    /* Patch the typical password test. */
    HANDLE token;

    /* Try to get the access token from Windows. */
    token = cygwin_logon_user (user_pwd_entry, cleartext_password);
    if (token == INVALID_HANDLE_VALUE)
        { printf("1\n"); exit(EXIT_FAILURE); } // error_exit;
    /* Inform Cygwin about the new impersonation token. */
    cygwin_set_impersonation_token (token);
    /* Cygwin is now able, to switch to that user context by setuid or seteuid calls. */

    printf("BEFORE  uid = %4u,  gid = %4u\n",  getuid(),  getgid() );
    printf("BEFORE euid = %4u, egid = %4u\n", geteuid(), getegid() );

    if (setgid (user_pwd_entry->pw_gid) != 0) // Use set[gu]id, NOT sete[gu]id
        { printf("3\n"); exit(EXIT_FAILURE); }
    if (setuid (user_pwd_entry->pw_uid) != 0) // Use set[gu]id, NOT sete[gu]id
        { printf("4\n"); exit(EXIT_FAILURE); }

    printf("AFTER   uid = %4u,  gid = %4u\n",  getuid(),  getgid() );
    printf("AFTER  euid = %4u, egid = %4u\n", geteuid(), getegid() );

    // uid (and euid) should be set to jvdwater at this point
    int retval = execl ("/bin/bash", "sh", (char  *) NULL);
    if (retval != 0)
        { perror("Surprise: execl() failed: "); } // SeAssignPrimaryTokenPrivilege missing?
    printf("retval = %d\n", retval);

    printf("Should not be reached ...\n");
}

====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]

On Jun  8 16:46, Houder wrote:
> Hi Corinna,
> 
> Maybe you are still around ... otherwise it will be for the next round.
> 
> During my exercise with sshd I was "forced" :-) to study the User Guide, as I
> am not "well informed" :-P about the security model of Windows.
> 
> I am referring to this paragraph:
> 
>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>     (switching the user context)
> 
> To get a bit more acquainted with the stuff, I decided to try your example at
> the beginning of this paragraph - i.e. the example in subparagraph "Switching
> the user context WITH password authentication".
> 
> (I modified the example in order to make a bit more "exciting" -- see below)
> 
> 64-@@# uname -a
> CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin
> 64-@@# editrights -u Henri -l
> SeLockMemoryPrivilege <==== no special? privileges ...
> 
> 64-@@# ./setuid
> Password:
> BEFORE  uid = 1000,  gid =  513
> BEFORE euid = 1000, egid =  513
> AFTER   uid = 1004,  gid =  513
> AFTER  euid = 1004, egid =  513
> Surprise: execl() failed: : Operation not permitted
> retval = -1
> Should not be reached ...
> 64-@@#
> 
> First I tried adding SeTcbPrivilege ("extremely powerful", according to what I
> read at MSDN). Logoff/Logon ...
> 
> That did not help. Got the same result. So, NOT that powerful ...
> 
> Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ...
> 
> 64-@@# ./setuid
> Password:
> BEFORE  uid = 1000,  gid =  513
> BEFORE euid = 1000, egid =  513
> AFTER   uid = 1004,  gid =  513
> AFTER  euid = 1004, egid =  513
> sh-4.4$ id
> uid=1004(jvdwater) gid=513(None) groups=513(None),545(Users),11(Authenticated Users)
> sh-4.4$ exit
> 64-@@# 
> 
> It might be ?obvious? to an expert on Windows (after having searched through
> MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required ...
> 
> That is, when one is going to invoke CreateProcessAsUser() ...
> 
> However, someone without that knowledge ...
> Perhaps a small note to that effect (special privilege required!) in "Switching
> the user context with password authentication" might help the 'innocent' reader.

You're not supposed to do that.  setuid() is a privileged call, so it's
supposed to be called by a privileged process only.  Do not add these
permissions to a normal user account unless you exactly know what you're
doing security-wise.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Switching the user context -- SeAssignPrimaryTokenPrivilege required

[Houder]

On Fri, 9 Jun 2017 11:00:36, Corinna Vinschen wrote:

[snip]
> You're not supposed to do that.  setuid() is a privileged call, so it's
> supposed to be called by a privileged process only.  Do not add these
> permissions to a normal user account unless you exactly know what you're
> doing security-wise.

No, indeed, one is not supposed to do that (permanently assign this privilege
to a regular user account). Definitely. Absolutely ...

I only intended to demonstrate the essence (gist?) of the subparagraph:

    user context switch => CreateProcessAsUser()

Without the invocation of CreateProcessAsUser() there is no context switch.

Regards,
Henri


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple