On 2017-05-29 10:39, Marco Atzeri wrote:
On 29/05/2017 07:23, Houder wrote:
[snip]
... because, that is, I think, what I am seeing:
- the userid of child sshd is still 'cyg_server' ...
- and I get an elevated shell when I login ...
Not what I expected ...
Gr. Henri
Hi Houder,
please read the last Announcement
https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html
[snip]
It seems you misunderstood the communication:
- the possibility to NOT use "privilege separation" is deprecated
- "privilege separation" will became mandatory
Hi Marco,
Sorry for the misunderstanding. Yes, to my knowledge, PS, privilege
separation, is now mandatory (using a new mechanism under Linux [1]).
[1] sandboxing?
Because of PS, I expect to see an UNprivileged sshd process talking
to the user process (where the ssh command has been executed).
But above all, I expect an UNelevated shell when I login in ...
However, what I get after login (after providing my credentials) is
an ELEVATED shell (yes, Administrators is part of the group set).
Now I wonder if this happens because I do NOT observe PS.
Look below, please ... After executing the ssh command, ssh asks for
my credentials ... in stead of providing my credentials, I execute
the ps command in a second terminal. To my surprise, the grandchild
of the listener is executed using "cyg_server" and not "sshd" ...
Currently, I am looking at:
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
Regards,
Henri