From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 99071 invoked by alias); 31 May 2017 09:37:57 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 99054 invoked by uid 89); 31 May 2017 09:37:56 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,NORMAL_HTTP_TO_IP,PLING_QUERY,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=reply!, hall, Hall, disconnect X-HELO: lb2-smtp-cloud2.xs4all.net Received: from lb2-smtp-cloud2.xs4all.net (HELO lb2-smtp-cloud2.xs4all.net) (194.109.24.25) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 31 May 2017 09:37:54 +0000 Received: from tmp.GKD60FO8Dv ([83.162.234.136]) by smtp-cloud2.xs4all.net with ESMTP id Sxdu1v00G2xEdKF01xdvLD; Wed, 31 May 2017 11:37:55 +0200 Date: Wed, 31 May 2017 10:51:00 -0000 Message-ID: <38be07babbfc69d5ccea67afe6f92794@smtp-cloud2.xs4all.net> From: Houder To: cygwin@cygwin.com Subject: Re: openssh: privilege separation no longer supported on Cygwin? SURPRISE! References: <37b863f6-ce5c-ef13-569f-8044fe485075@gmail.com> <20e2702ca3837f5d54c558f8e786c717@xs4all.nl> <262615c8cf6e134cedf97b0280c4a68f@smtp-cloud2.xs4all.net> <592E1C49.6020202@cygwin.com> In-Reply-to: <592E1C49.6020202@cygwin.com> Content-Type: text/plain; charset=UTF-8; format=fixed User-Agent: mua.awk 0.99 X-SW-Source: 2017-05/txt/msg00514.txt.bz2 On Tue, 30 May 2017 21:28:41, "Larry Hall (Cygwin)" wrote: [snip] > Cygwin's link to the Windows user ID is through the UID/SID mapping. In > your case, you're apparently using /etc/passwd and so that's where the > mapping happens. You can map the UID of a Cygwin user to any valid Windows > SID by editing the SID as you did. This doesn't change how things look in > the Cygwin environment (i.e. the UID and user name are still the same) but > it does make a difference to Windows. So the fact that you can change the > SID for the 'sshd' user and still get it to run is not all that surprising, > assuming that the new Windows SID that you're using as 'sshd' now has at > least similar permissions. Of course, if you remove Cygwin's understanding > of 'sshd' so that it can't do the mapping of UID to SID or even have a > valid UID, then subsequent problems are not unexpected. Hi Larry, Thanks for your reply! Discussion! First of all, I do not pretend to know Windows ... neither do I pretend that I know more about ssh/Cygwin than Corinna does (basically, I know not very much). .. the only thing I am able to, is "observe" (and I may interpret wrong), and may have done "stupid" things. That is why your reply is appreciated by me. Now back to your reply: I had modified /etc/password as follows: (note the xxxx in the sid) sshd:*:1015:513:U-Seven\sshd,S-1-5-21-91509220-1575020443-2714799223-xxxx:/var/empty:/bin/false However, just now I modified it as follows: sshd:*:1015:513:U-Seven\sshd,S-1-5-21-xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx:/var/empty:/bin/false (again changed the sshd service into 'automatic'), and rebooted the system. After system reboot, an elevated shell is started ... (the ampersand sign at the end of the prompt indicates it is an elevated shell) # my .bash_profile interrogates the cygwin1.dll ... /home/corinna/src/cygwin/cygwin-2.8.0/cygwin-2.8.0-1.x86_64/src/newlib-cygwin/winsup/cygwin/cygheap.cc 64-@@# 64-@@# cygrunsrv -Q sshd Service : sshd Display name : CYGWIN sshd Current State : Running Controls Accepted : Stop Command : /usr/sbin/sshd -4 -D -e Looking good ... 64-@@# net user sshd The user name could not be found. More help is available by typing NET HELPMSG 2221. As far as I know, this means that Windows tells me user sshd does NOT exist! However, I can still use the ssh command ... (see below). Now, if I understand correctly, "Corinna" may use the first (of the 4) method, i.e. the one based on NtCreateToken(), to change the user context ... (Q: is that even possible for a NON-existing user?) However, neither the ps command nor the "Process Explorer" show me a context that "belongs" to user sshd [1] (in stead it belongs to user cyg_server). [1] I refer to the grandchild of the listener, the one that exists before the authentication phase terminates ... Yes, I know; I may still be wrong ... I report what I observe ... yes, I do not have the deep knowledge of Windows that Corinna has. I know. Regards, Henri ----- >From an UNelevated shell: 64-@@ ssh -p -l Henri 192.168.178.15 Enter passphrase for key '/home/Henri/.ssh/': # Henri is privileged Last login: Wed May 31 10:30:52 2017 from 192.168.178.15 TADA !!!!! <==== contents of /etc/motd /home/corinna/src/cygwin/cygwin-2.8.0/cygwin-2.8.0-1.x86_64/src/newlib-cygwin/winsup/cygwin/cygheap.cc 64-@@# exit <==== full-blown elevated shell! (try whoami /all) logout Connection to 192.168.178.15 closed. 64-@@ ssh -p -l jvdwater 192.168.178.15 jvdwater@192.168.178.15's password: # jvdwater is UNprivileged Last login: Wed May 31 10:29:27 2017 from 192.168.178.15 TADA !!!!! 64-@@ exit <==== ordinary UNelevated shell logout Connection to 192.168.178.15 closed. 64-@@# tail -f /var/log/sshd.log Server listening on 0.0.0.0 port . Accepted publickey for Henri from 192.168.178.15 port 49186 ssh2: Received disconnect from 192.168.178.15 port 49186:11: disconnected by user Disconnected from user Henri 192.168.178.15 port 49186 Accepted password for jvdwater from 192.168.178.15 port 49191 ssh2 Received disconnect from 192.168.178.15 port 49191:11: disconnected by user Disconnected from user jvdwater 192.168.178.15 port 49191 ===== -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple