From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 76601 invoked by alias); 31 May 2017 13:26:59 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 76592 invoked by uid 89); 31 May 2017 13:26:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,PLING_QUERY,RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=1015, HContent-Transfer-Encoding:8bit, surprise X-HELO: mail-it0-f53.google.com Received: from mail-it0-f53.google.com (HELO mail-it0-f53.google.com) (209.85.214.53) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 31 May 2017 13:26:57 +0000 Received: by mail-it0-f53.google.com with SMTP id w68so13771439itc.0 for ; Wed, 31 May 2017 06:27:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=4dLMyoaZU6+FboSLezaejdXNToQW/acsS9sLqbxoAvk=; b=eRbmF5rpPiSbbq29O/0dHgEkVqTeEwA25+lC9MWTY+hP6P5YJ1XlaRtj9xAk5+aUpF aVgFgRS7ArGI7LNO7GoDueJm/bB64fP0lA6/Hngov+Gzu4MhLebNU3Xe98ViZbeEzFcC neyAMq93oP9bQ03teUatVSiwBnZ+MwBE5015G0lWp8bMcidRnnt19587QyP2orR+Of06 CmZS8F/2fjTyolp3pUoIZLrOhZXugCjiC+svDNWHoVqveegC06CQKVJbgiA9YIZQDxL3 3VP6XsftNdOY+PqCb78IXXMkFfmEOFZAgovxWrVslI7yRiAc8p4l8lOkd4Hc6J44CGkv IRbQ== X-Gm-Message-State: AODbwcAYTRoK+sC28/8shFYavr7ItG4cmfv2GHnDc9PFuw8uqAFlUyKE 3ziOPQda0rpoPWbf X-Received: by 10.36.17.197 with SMTP id 188mr7482108itf.28.1496237219533; Wed, 31 May 2017 06:26:59 -0700 (PDT) Received: from [192.168.0.6] (d4-50-42-50.try.wideopenwest.com. [50.4.50.42]) by smtp.gmail.com with ESMTPSA id y7sm6936412ioi.41.2017.05.31.06.26.58 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 May 2017 06:26:58 -0700 (PDT) Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE! To: cygwin@cygwin.com References: <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com> <20e2702ca3837f5d54c558f8e786c717@xs4all.nl> <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net> <592E1C49.6020202@cygwin.com> <38be07babbfc69d5ccea67afe6f92794@smtp-cloud2.xs4all.net> From: cyg Simple Message-ID: <28f7eeae-ed40-9837-53bc-d2d6a33ad5a7@gmail.com> Date: Wed, 31 May 2017 14:46:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <38be07babbfc69d5ccea67afe6f92794@smtp-cloud2.xs4all.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2017-05/txt/msg00518.txt.bz2 On 5/31/2017 5:37 AM, Houder wrote: > On Tue, 30 May 2017 21:28:41, "Larry Hall (Cygwin)" wrote: > > [snip] >> Cygwin's link to the Windows user ID is through the UID/SID mapping. In >> your case, you're apparently using /etc/passwd and so that's where the >> mapping happens. You can map the UID of a Cygwin user to any valid Windows >> SID by editing the SID as you did. This doesn't change how things look in >> the Cygwin environment (i.e. the UID and user name are still the same) but >> it does make a difference to Windows. So the fact that you can change the >> SID for the 'sshd' user and still get it to run is not all that surprising, >> assuming that the new Windows SID that you're using as 'sshd' now has at >> least similar permissions. Of course, if you remove Cygwin's understanding >> of 'sshd' so that it can't do the mapping of UID to SID or even have a >> valid UID, then subsequent problems are not unexpected. > > Hi Larry, > > Thanks for your reply! Discussion! > > First of all, I do not pretend to know Windows ... neither do I pretend that I > know more about ssh/Cygwin than Corinna does (basically, I know not very much). > > .. the only thing I am able to, is "observe" (and I may interpret wrong), and > may have done "stupid" things. That is why your reply is appreciated by me. > > Now back to your reply: > > I had modified /etc/password as follows: (note the xxxx in the sid) > > sshd:*:1015:513:U-Seven\sshd,S-1-5-21-91509220-1575020443-2714799223-xxxx:/var/empty:/bin/false > > However, just now I modified it as follows: > > sshd:*:1015:513:U-Seven\sshd,S-1-5-21-xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx:/var/empty:/bin/false > > (again changed the sshd service into 'automatic'), and rebooted the system. > > After system reboot, an elevated shell is started ... > (the ampersand sign at the end of the prompt indicates it is an elevated shell) All of this talk of /etc/passwd leads me to point you to https://cygwin.com/cygwin-ug-net/ntsec.html. -- cyg Simple -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple