Still confused about cyg_server vs. user id when logging in via ssh

Still confused about cyg_server vs. user id when logging in via ssh

[cygwin]

When I login via ssh, I *appear* at first glance to have the same id
and privileges as I do when I log in directly.

a) If I am an administrator, then 'id -a' gives the following
   consistent answer for both direct and ssh login:
   	uid=1001(myusername) gid=513(None) groups=513(None),0(root),544(Administrators),545(Users)

b) If I am a regular user, then 'id -a' gives the following consistent
answer:
   	uid=1001(myusername) gid=513(None) groups=513(None),545(Users)


However, there are some important differences.
1. First and most importantly, when I log in as administrator via 'ssh',
   somehow cyg_server seems to be the real owner of all my files
   (despite the fact that cygwin 'ls -al' seems to mask that).

In particular, 'subinacl' gives
   /owner =mymachine\cyg_server
   /pace =winlawyer\cyg_server  Type=0x0 Flags=0x0 AccessMask=0x1f019f
For all files that are actually owned by me... though it gets the
ownership right for files owned by others.

This is a problem since I use ssh, as part of my backup scripts to run
subinacl to backup acls.

My bottom line question is whether there is any way to login via SSH
and to get a shell with true ADMINISTRATOR privileges so that there is
no difference between a SSH log in and a local login... at a minimum
is there any way to get subinacl to work right.

2. Whether I log in as an ordinary user or as administrator via SSH,
only some but not all user variables are properly set. So, for example
"HOME" seems to be set properly but not for example "APPDATA". I don't
understand why some variables are set and not others...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Still confused about cyg_server vs. user id when logging in via ssh

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2141 bytes --]

On Nov  3 15:03, frigging raw email address wrote:
> When I login via ssh, I *appear* at first glance to have the same id
> and privileges as I do when I log in directly.
> 
> a) If I am an administrator, then 'id -a' gives the following
>    consistent answer for both direct and ssh login:
>    	uid=1001(myusername) gid=513(None) groups=513(None),0(root),544(Administrators),545(Users)
> 
> b) If I am a regular user, then 'id -a' gives the following consistent
> answer:
>    	uid=1001(myusername) gid=513(None) groups=513(None),545(Users)
> 
> 
> However, there are some important differences.
> 1. First and most importantly, when I log in as administrator via 'ssh',
>    somehow cyg_server seems to be the real owner of all my files
>    (despite the fact that cygwin 'ls -al' seems to mask that).
> 
> In particular, 'subinacl' gives
>    /owner =mymachine\cyg_server
>    /pace =winlawyer\cyg_server  Type=0x0 Flags=0x0 AccessMask=0x1f019f
> For all files that are actually owned by me... though it gets the
> ownership right for files owned by others.
> 
> This is a problem since I use ssh, as part of my backup scripts to run
> subinacl to backup acls.
> 
> My bottom line question is whether there is any way to login via SSH
> and to get a shell with true ADMINISTRATOR privileges so that there is
> no difference between a SSH log in and a local login... at a minimum
> is there any way to get subinacl to work right.

http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-logonuser

> 2. Whether I log in as an ordinary user or as administrator via SSH,
> only some but not all user variables are properly set. So, for example
> "HOME" seems to be set properly but not for example "APPDATA". I don't
> understand why some variables are set and not others...

Security reasons, a request from the upstream OpenSSH maintainers way
back when.  This has been discussed in the past on this ML, including
some workarounds, AFAIR.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

Re: Still confused about cyg_server vs. user id when logging in via ssh

[Anthony Geoghegan]

>> My bottom line question is whether there is any way to login via SSH
>> and to get a shell with true ADMINISTRATOR privileges so that there is
>> no difference between a SSH log in and a local login... at a minimum
>> is there any way to get subinacl to work right.
>
> http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-logonuser

I spent ages wrestling with similar issues. I found running `mkpasswd
-c` a useful way to see which Windows user I'm logged in as. It took a
lot of experimentation to realise that I was only logged in with the
permissions of my Windows user if I disabled SSH keys and used my
account password to authenticate. After much research, I found all the
relevant answers in the documentation that Corinna linked to - though
I had to read it twice to fully understand it (I've only recently
started to learn about Windows' authentication and security
processes).

Regards,
Anthony Geoghegan

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple