From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 51595 invoked by alias); 13 Feb 2016 01:04:16 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 51580 invoked by uid 89); 13 Feb 2016 01:04:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=sk:access_, SHOULD, Permission, cyg_server X-HELO: mail-lf0-f53.google.com Received: from mail-lf0-f53.google.com (HELO mail-lf0-f53.google.com) (209.85.215.53) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Sat, 13 Feb 2016 01:04:14 +0000 Received: by mail-lf0-f53.google.com with SMTP id j78so61538839lfb.1 for ; Fri, 12 Feb 2016 17:04:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=PmFLuTDCabvzT42Cqk4sy/d0h8yxSZFpouFx3bBvWyU=; b=fdy7Bmgxz9R1tRU9PnA03p+lNyjZa0NqXM6Nq5IPrZeS4MEGtJAsHkY7GZkVuVWmRM fEHKDGXBP0PROA7NllRyAbtBKL6GVXHJKalgJOC4YI0D+nduv89SBu9M6WemtTfRr7MN vrulMm8NMRgmHMknGVIpcBd78Etlv9eZresH4hC6NjhDDk+3NwklrjxL8gUcm1st7fKB D+bjXyJWIepf27zFNfTfrDVqohrrs6fE2jTh+iMelYd+Cen9FP/vx84Droyc8gxwB0+e UpveLYWZi+yKEB78j3dNhe3HcQtK92uSumsQ/ifijB99hWCSi7w/w9XpG5YZvyaFgiA2 z0gA== X-Gm-Message-State: AG10YOT9naB6Fu4lFuyegoWp2Kdk2S363O/851DZagnmEle3xYEyWedDt01l7NUaaoqOBT/JnbgEaHI86nFRug== MIME-Version: 1.0 X-Received: by 10.25.146.206 with SMTP id u197mr1961469lfd.96.1455325450658; Fri, 12 Feb 2016 17:04:10 -0800 (PST) Received: by 10.25.86.196 with HTTP; Fri, 12 Feb 2016 17:04:10 -0800 (PST) In-Reply-To: <019e01d163c2$d678c7e0$836a57a0$@comcast.net> References: <019c01d163bc$fe2fc500$fa8f4f00$@comcast.net> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> Date: Sat, 13 Feb 2016 01:04:00 -0000 Message-ID: Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? From: Erik Soderquist To: cygwin@cygwin.com Content-Type: text/plain; charset=UTF-8 X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00183.txt.bz2 On Wed, Feb 10, 2016 at 12:21 AM, David Willis wrote: > Thank you for the response.. > > That is the problem though, it is not an error I am getting (that is in fact > the issue is that I SHOULD be getting a "permission denied" but I am not). > The problem is that I have access to things that I should not. Since this is > plain text only I can't post a SS of the open session that is shown in > Computer Management->Shared Folders->Sessions, but it shows the privileged > server account "cyg_server" instead of the user that I am accessing the > share as (the user I SSH'd in as). > > And I just found out with further testing that when I connect using a > password to Cygwin SSHD server, then access the file share, I have the > correct permissions and it shows an open session as the user I connected as > like it should. So it is something specifically that happens when connecting > using public key authentication. > > Here is an example though: > > [user]@[client machine] ~$ ssh [user]@[SSH server].[domain] > Enter passphrase for key '/home/[user]/.ssh/id_dsa': > Last login: Mon Feb 8 21:41:51 2016 from [client machine] > > [user]@[SSH server] //[file server]/[share] $ ls -l > total 8 > drwxrwx---+ 1 [admin user] Domain Users 0 Feb 7 18:29 [private folder] > drwxrwx---+ 1 [user] Domain Users 0 Feb 7 17:31 [public folder] > > [user]@[SSH server] //[file server]/[share] $ ls -l [private folder] > total 8 > -rwxrwx---+ 1 [admin user] Domain Users 6070 Feb 6 22:50 [private file] > > Please note that the user on the client machine and the user I am connecting > as on the SSH server are the same user account (a domain account). The > [admin account] is a domain account w/ domain admin privileges. The private > folder has NTFS ACLs set on it to prevent anyone other than domain admins > from listing the contents (as does the file inside it have ACLs preventing > anyone other than domain admins from reading it). The public folder is > listable by any domain users. > > Now what happens when I login with a password instead of a key: > > [user]@[client machine] ~$ ssh [user]@[SSH server].[domain] > [user]@[SSH server].[domain]'s password: > Last login: Tue Feb 9 20:18:44 2016 from [client machine] > > [user]@[SSH server] //[file server]/[share] $ ls -l > total 8 > drwxr-x--- 1 Unknown+User Unknown+Group 0 Feb 7 18:29 [private > folder] > drwxrwx---+ 1 [user] Domain Users 0 Feb 7 17:31 [public folder] > > [user]@[SSH server] //[file server]/[share] $ ls -l [private folder] > ls: cannot open directory [private folder]: Permission denied > > The behavior the second time is what I would expect the first time. Also in > the second scenario, Computer Management->Shared Folders->Sessions shows the > proper user being connected (the user I SSH'd in as) instead of the > privileged server account "cyg_server". > > Thanks again for any help - much appreciated > > David With the precise steps listed/demonstrated, I've reproduced it I connected with ssh as a normal user using a private key, and cd'd to //server/c$/ successfully, and in the Windows active sessions, it does indeed show "cyg_server" as the connected user, not the user I logged in with. Trying this using a password rather than a private key behaves as expected. Taking this a step further, I created a new directory from Windows Explorer and reset the permissions to explicitly deny access to the normal user I tested with. Then I tried to cd to /cygdrive/c/access_denied_test/ and received the expected access denied message, but when I tried to cd to //server/c$/access_denied_test/ I succeeded, and was able to create new files in the directory. I can provide screen shots of the reproduction without the need to redact quite so much. -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple