Web lists-archives.com

Re: openssh: privilege separation no longer supported on Cygwin?




On 2017-05-31 13:52, Marco Atzeri wrote:
> On 29/05/2017 11:48, Houder wrote:
>> On 2017-05-29 10:39, Marco Atzeri wrote:
>>> On 29/05/2017 07:23, Houder wrote:
>>
>> [snip]
>>>> ... because, that is, I think, what I am seeing:
>>>>
>>>>  - the userid of child sshd is still 'cyg_server' ...
>>>>  - and I get an elevated shell when I login ...
>>>>
>>>> Not what I expected ...
>>>>
>>>> Gr. Henri
>>>>
>>>
>>> Hi Houder,
>>> please read the last Announcement
>>>
>>> https://sourceware.org/ml/cygwin-announce/2017-03/msg00028.html
>>
>> [snip]
>>> It seems you misunderstood the communication:
>>> - the possibility to NOT use "privilege separation" is deprecated
>>> - "privilege separation" will became mandatory
>>
>> Hi Marco,
>>
>> Sorry for the misunderstanding. Yes, to my knowledge, PS, privilege
>> separation, is now mandatory (using a new mechanism under Linux [1]).
>>
>> [1] sandboxing?
>>
>> Because of PS, I expect to see an UNprivileged sshd process talking
>> to the user process (where the ssh command has been executed).
>>
>> But above all, I expect an UNelevated shell when I login in ...
>>
>> However, what I get after login (after providing my credentials) is
>> an ELEVATED shell (yes, Administrators is part of the group set).
> 
> Is your user a member of Administrators ?
> 
>>
>> Now I wonder if this happens because I do NOT observe PS.
>>
>> Look below, please ... After executing the ssh command, ssh asks for
>> my credentials ... in stead of providing my credentials, I execute
>> the ps command in a second terminal. To my surprise, the grandchild
>> of the listener is executed using "cyg_server" and not "sshd" ...
>>
>> Currently, I am looking at:
>>
>>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>
>> Regards,
>> Henri
>>
> 
> on my system as reported by lusrmgr.msc
> cyg_server is a privileged user member of Administrators
> sshd is a normal user as expected reading ssh-host-config.
> 
> The cyg_server account can setuid to other users
> otherwise you can not change user id:
> 
> $ pstree -u
> ?─┬─cygrunsrv(cyg_server)───sshd───sshd───bash(marco)───pstree
>   ├─mintty(marco)───bash───ssh
>   └─mintty(marco)───bash

You might want to look at the UG NT Security section on using LSA and
passwd -R to impersonate unprivileged userids.

Normally sshd is set up using the cyg_server account by ssh-host-config:
run cygrunsrv with -VQ (-QV doesn't work) to see most settings e.g.

$ cygrunsrv -VQ sshd
Service             : sshd
Display name        : CYGWIN sshd
Current State       : Running
Controls Accepted   : Stop, Preshutdown
Command             : /usr/sbin/sshd -D
stdin path          : /dev/null
stdout path         : /var/log/sshd.log
stderr path         : /var/log/sshd.log
Process Type        : Own Process
Startup             : Automatic
Dependencies        : cygserver, tcpip
Account             : .\cyg_server

you can also check the Windows view with:

$ sc qc sshd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: sshd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\...\cygwin64\bin\cygrunsrv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : CYGWIN sshd
        DEPENDENCIES       : cygserver
                           : tcpip
        SERVICE_START_NAME : .\cyg_server

and I have a script that lists all service registry settings for
checking, and works with all Windows services, not just Cygwin services
started by cygrunsrv:

$ scqc.sh sshd
sshd            DelayedAutostart          1
sshd            DependOnService           cygserver  tcpip
sshd            DisplayName               CYGWIN sshd
sshd            ErrorControl              1
sshd            ImagePath                 C:\...\cygwin64\bin\cygrunsrv.exe
sshd            ObjectName                .\cyg_server
sshd            Parameters                AppPath  AppArgs  Preshutdown
sshd            Start                     2
sshd            Type                      16
sshd            Parameters/AppArgs        -D
sshd            Parameters/AppPath        /usr/sbin/sshd
sshd            Parameters/Preshutdown    1

enabling you to easily see what service settings to change using sc or
registry commands like Cygwin regtool or Windows reg, as cygrunsrv does
not support all sc settings, or dynamic changes, only -R remove and -I
install, which stops the service. Parameters is a standard subkey also
used by other non-Cygwin services.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple