1.7.9: login via ssh allows Administrator privileges

1.7.9: login via ssh allows Administrator privileges

[Michael Hoffman]

My user account is in the Administrators group, but has User Account Control
turned on. I've installed sshd and turned it on, ssh-host-config, and enabled
the Cygwin Local Security Authority authentication package with cyglsa-config.

When I log in via ssh I find I have Administrator privileges:

$ id -a
uid=1000(Michael) gid=513(None) groups=513(None),545(Users)

$ ssh localhost

# id -a
uid=1000(Michael) gid=513(None)
groups=513(None),0(root),544(Administrators),545(Users)

Is there a way to turn this off or remove myself from the Administrators and
root groups? I prefer not to have administrative access unless I explicitly
request it.

Cygcheck output: http://pastebin.com/S6CyKpaD

Many thanks,
Michael Hoffman


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: 1.7.9: login via ssh allows Administrator privileges

[Christian Franke]

Michael Hoffman wrote:
> When I log in via ssh I find I have Administrator privileges:
>
> $ id -a
> uid=1000(Michael) gid=513(None) groups=513(None),545(Users)
>
> $ ssh localhost
>
> # id -a
> uid=1000(Michael) gid=513(None)
> groups=513(None),0(root),544(Administrators),545(Users)
>
> Is there a way to turn this off or remove myself from the Administrators and
> root groups? I prefer not to have administrative access unless I explicitly
> request it.

Restarting the shell through cygdrop from cygutils package may help:

# exec cygdrop /bin/bash -l

This does essentially the same as Windows if UAC is enabled: The process 
is started with a restricted token where admin group(s) and privileges 
are removed.

The cygdrop -v option prints the removed groups and privileges, -vv 
prints also the preserved ones. There are also options to control which 
groups or privileges are removed in case the default is not suitable.

-- 
Christian Franke


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: 1.7.9: login via ssh allows Administrator privileges

[Andrey Repin]

Greetings, Michael Hoffman!

> Is there a way to turn this off or remove myself from the Administrators and
> root groups? I prefer not to have administrative access unless I explicitly
> request it.

Then don't work as user from Administrators group.
Simple.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 09.10.2011, <19:03>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: 1.7.9: login via ssh allows Administrator privileges

[Michael Hoffman]

Christian Franke <Christian.Franke <at> t-online.de> writes:

> Michael Hoffman wrote:
> > When I log in via ssh I find I have Administrator privileges:
> >
> > [snip]
> >
> > Is there a way to turn this off or remove myself from the Administrators and
> > root groups? I prefer not to have administrative access unless I explicitly
> > request it.
> 
> Restarting the shell through cygdrop from cygutils package may help:
> 
> # exec cygdrop /bin/bash -l

Thanks for the helpful response! I was able to get the behavior I wanted by
adding this to /etc/sshd_config:

ForceCommand /bin/bash /etc/ssh-cygdrop

and putting this in /etc/ssh-cygdrop:

exec cygdrop ${SSH_ORIGINAL_COMMAND:-"$SHELL"}

Thanks again!
Michael


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: 1.7.9: login via ssh allows Administrator privileges

[Christian Franke]

Michael Hoffman wrote:
> Christian Franke<...>  writes:
>
>> Michael Hoffman wrote:
>>> When I log in via ssh I find I have Administrator privileges:
>>>
>>> [snip]
>>>
>>> Is there a way to turn this off or remove myself from the Administrators and
>>> root groups? I prefer not to have administrative access unless I explicitly
>>> request it.
>> Restarting the shell through cygdrop from cygutils package may help:
>>
>> # exec cygdrop /bin/bash -l
> Thanks for the helpful response! I was able to get the behavior I wanted by
> adding this to /etc/sshd_config:
> ...

You're welcome. I'm glad my cygdrop tool is useful here.

Meantime I noticed one difference: If Cygwin shell started normally from 
explorer, UAC-Virtualization is effective. This is not the case if the 
shell is started through cygdrop. Should not make much difference for 
the typical use cases of Cygwin which normally do not change files below 
$PROGRAMFILES or $WINDIR.

-- 
Christian Franke


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple