* 1.7.9: login via ssh allows Administrator privileges
@ 2011-10-09 0:25 Michael Hoffman
2011-10-09 13:45 ` Christian Franke
2011-10-09 15:05 ` Andrey Repin
0 siblings, 2 replies; 5+ messages in thread
From: Michael Hoffman @ 2011-10-09 0:25 UTC (permalink / raw)
To: cygwin
My user account is in the Administrators group, but has User Account Control
turned on. I've installed sshd and turned it on, ssh-host-config, and enabled
the Cygwin Local Security Authority authentication package with cyglsa-config.
When I log in via ssh I find I have Administrator privileges:
$ id -a
uid=1000(Michael) gid=513(None) groups=513(None),545(Users)
$ ssh localhost
# id -a
uid=1000(Michael) gid=513(None)
groups=513(None),0(root),544(Administrators),545(Users)
Is there a way to turn this off or remove myself from the Administrators and
root groups? I prefer not to have administrative access unless I explicitly
request it.
Cygcheck output: http://pastebin.com/S6CyKpaD
Many thanks,
Michael Hoffman
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 1.7.9: login via ssh allows Administrator privileges
2011-10-09 0:25 1.7.9: login via ssh allows Administrator privileges Michael Hoffman
@ 2011-10-09 13:45 ` Christian Franke
2011-10-09 18:38 ` Michael Hoffman
2011-10-09 15:05 ` Andrey Repin
1 sibling, 1 reply; 5+ messages in thread
From: Christian Franke @ 2011-10-09 13:45 UTC (permalink / raw)
To: cygwin
Michael Hoffman wrote:
> When I log in via ssh I find I have Administrator privileges:
>
> $ id -a
> uid=1000(Michael) gid=513(None) groups=513(None),545(Users)
>
> $ ssh localhost
>
> # id -a
> uid=1000(Michael) gid=513(None)
> groups=513(None),0(root),544(Administrators),545(Users)
>
> Is there a way to turn this off or remove myself from the Administrators and
> root groups? I prefer not to have administrative access unless I explicitly
> request it.
Restarting the shell through cygdrop from cygutils package may help:
# exec cygdrop /bin/bash -l
This does essentially the same as Windows if UAC is enabled: The process
is started with a restricted token where admin group(s) and privileges
are removed.
The cygdrop -v option prints the removed groups and privileges, -vv
prints also the preserved ones. There are also options to control which
groups or privileges are removed in case the default is not suitable.
--
Christian Franke
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 1.7.9: login via ssh allows Administrator privileges
2011-10-09 0:25 1.7.9: login via ssh allows Administrator privileges Michael Hoffman
2011-10-09 13:45 ` Christian Franke
@ 2011-10-09 15:05 ` Andrey Repin
1 sibling, 0 replies; 5+ messages in thread
From: Andrey Repin @ 2011-10-09 15:05 UTC (permalink / raw)
To: Michael Hoffman, cygwin
Greetings, Michael Hoffman!
> Is there a way to turn this off or remove myself from the Administrators and
> root groups? I prefer not to have administrative access unless I explicitly
> request it.
Then don't work as user from Administrators group.
Simple.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 09.10.2011, <19:03>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 1.7.9: login via ssh allows Administrator privileges
2011-10-09 13:45 ` Christian Franke
@ 2011-10-09 18:38 ` Michael Hoffman
2011-10-13 19:06 ` Christian Franke
0 siblings, 1 reply; 5+ messages in thread
From: Michael Hoffman @ 2011-10-09 18:38 UTC (permalink / raw)
To: cygwin
Christian Franke <Christian.Franke <at> t-online.de> writes:
> Michael Hoffman wrote:
> > When I log in via ssh I find I have Administrator privileges:
> >
> > [snip]
> >
> > Is there a way to turn this off or remove myself from the Administrators and
> > root groups? I prefer not to have administrative access unless I explicitly
> > request it.
>
> Restarting the shell through cygdrop from cygutils package may help:
>
> # exec cygdrop /bin/bash -l
Thanks for the helpful response! I was able to get the behavior I wanted by
adding this to /etc/sshd_config:
ForceCommand /bin/bash /etc/ssh-cygdrop
and putting this in /etc/ssh-cygdrop:
exec cygdrop ${SSH_ORIGINAL_COMMAND:-"$SHELL"}
Thanks again!
Michael
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: 1.7.9: login via ssh allows Administrator privileges
2011-10-09 18:38 ` Michael Hoffman
@ 2011-10-13 19:06 ` Christian Franke
0 siblings, 0 replies; 5+ messages in thread
From: Christian Franke @ 2011-10-13 19:06 UTC (permalink / raw)
To: cygwin
Michael Hoffman wrote:
> Christian Franke<...> writes:
>
>> Michael Hoffman wrote:
>>> When I log in via ssh I find I have Administrator privileges:
>>>
>>> [snip]
>>>
>>> Is there a way to turn this off or remove myself from the Administrators and
>>> root groups? I prefer not to have administrative access unless I explicitly
>>> request it.
>> Restarting the shell through cygdrop from cygutils package may help:
>>
>> # exec cygdrop /bin/bash -l
> Thanks for the helpful response! I was able to get the behavior I wanted by
> adding this to /etc/sshd_config:
> ...
You're welcome. I'm glad my cygdrop tool is useful here.
Meantime I noticed one difference: If Cygwin shell started normally from
explorer, UAC-Virtualization is effective. This is not the case if the
shell is started through cygdrop. Should not make much difference for
the typical use cases of Cygwin which normally do not change files below
$PROGRAMFILES or $WINDIR.
--
Christian Franke
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-10-13 19:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-10-09 0:25 1.7.9: login via ssh allows Administrator privileges Michael Hoffman
2011-10-09 13:45 ` Christian Franke
2011-10-09 18:38 ` Michael Hoffman
2011-10-13 19:06 ` Christian Franke
2011-10-09 15:05 ` Andrey Repin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).