This is the mail archive of the cygwin-developers mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Resurrecting subauth

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin-developers at cygwin dot com
Date: Fri, 14 Jul 2006 15:37:50 +0200
Subject: Re: Resurrecting subauth
References: <20060714130703.GH8759@calimero.vinschen.de>
Reply-to: cygwin-developers at cygwin dot com

On Jul 14 15:07, Corinna Vinschen wrote:
> Yes, you're reading right.
> 
> Following up on this discussion from back in 2002:
> http://sourceware.org/ml/cygwin-developers/2002-12/msg00003.html
> Wow, 3 1/2 years ago...
> 
> Unfortunately the discussion died down without a result.  Along the same
> lines as stopping 9x support, I think it's time to resurrect the
> subauthentication stuff.  It's tested on 2K, XP and 2K3 and it works on
> all three systems.  I did no test on Vista and 64 bit XP/2K3, but right
> now I don't really care.  NT4 is basically a dead fish as well, so I
> do care even less.  For these cases we still have create_token, so what?
> 
> The advantage of subauthentication is clear, I guess:  Native Windows
> process will see the correct user name.  I got a report about a native
> cvs which creates all files owned by the SYSTEM user, when contacted
> through a Cygwin ssh session.  People, including the OpenSSH developers
> are concerned that this is a security hole.  As we know, it isn't, but
> it stays tricky to explain, right?  Besides, it is very annoying.
> 
> The disadvantage of subauthentication is that it's a potential security
> hole in itself since it allows a knowledgable process to get a token of
> any enabled user account.  However, this is just a theoretical security
> hole, since the process needs SeTcbPrivileges to do that, and a process
> having SeTcbPrivileges already *has* privileged access and can get what
> it wants quite easily anyway.  It doesn't need subauth for that.

I forgot to mention another disadvantage:

With just create_token each login via (for instance) ssh, is running in
the same logon session (SYSTEMs on 2K/XP, sshd_server's on 2K3).  If you
create network shares with `net use' in one ssh session, they are
remembered across all ssh session, until either the next reboot (when
sshd runs under SYSTEM) or until the next service restart (in case of a
non-SYSTEM account running sshd).

Using subauthentication, you're running always in a new logon session.
So in each new ssh session you have to recreate the network shares
because the previous ones were in another logon session and are not
accessible in the new logon session.  It looks like even the
"persistent" flag to `net use' helps.  I don't quite understand why,
right now...

So that's another reason to not always install the subauth DLL, since
people won't always like what will happen.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

References:
- Resurrecting subauth
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]