Web lists-archives.com

Switching the user context -- SeAssignPrimaryTokenPrivilege required Re: Installing sshd on W7 reveals errors in CSIH_SCRIPT -- patch file against master




Hi Corinna,

Maybe you are still around ... otherwise it will be for the next round.

During my exercise with sshd I was "forced" :-) to study the User Guide, as I
am not "well informed" :-P about the security model of Windows.

I am referring to this paragraph:

    https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
    (switching the user context)

To get a bit more acquainted with the stuff, I decided to try your example at
the beginning of this paragraph - i.e. the example in subparagraph "Switching
the user context WITH password authentication".

(I modified the example in order to make a bit more "exciting" -- see below)

64-@@# uname -a
CYGWIN_NT-6.1 Seven 2.8.0(0.309/5/3) 2017-04-01 20:47 x86_64 Cygwin
64-@@# editrights -u Henri -l
SeLockMemoryPrivilege <==== no special? privileges ...

64-@@# ./setuid
Password:
BEFORE  uid = 1000,  gid =  513
BEFORE euid = 1000, egid =  513
AFTER   uid = 1004,  gid =  513
AFTER  euid = 1004, egid =  513
Surprise: execl() failed: : Operation not permitted
retval = -1
Should not be reached ...
64-@@#

First I tried adding SeTcbPrivilege ("extremely powerful", according to what I
read at MSDN). Logoff/Logon ...

That did not help. Got the same result. So, NOT that powerful ...

Secondly I tried adding SeAssignPrimaryTokenPrivilege ... Logoff/Logon ...

64-@@# ./setuid
Password:
BEFORE  uid = 1000,  gid =  513
BEFORE euid = 1000, egid =  513
AFTER   uid = 1004,  gid =  513
AFTER  euid = 1004, egid =  513
sh-4.4$ id
uid=1004(jvdwater) gid=513(None) groups=513(None),545(Users),11(Authenticated Users)
sh-4.4$ exit
64-@@# 

It might be ?obvious? to an expert on Windows (after having searched through
MSDN?), that this privilege (SeAssignPrimaryTokenPrivilege) is required ...

That is, when one is going to invoke CreateProcessAsUser() ...

However, someone without that knowledge ...
Perhaps a small note to that effect (special privilege required!) in "Switching
the user context with password authentication" might help the 'innocent' reader.

Regards.
Henri

-----
setuid.c:

int
main()
{
    const struct passwd *user_pwd_entry = getpwnam ("jvdwater");
    const char *cleartext_password = getpass ("Password:");

    /* Patch the typical password test. */
    HANDLE token;

    /* Try to get the access token from Windows. */
    token = cygwin_logon_user (user_pwd_entry, cleartext_password);
    if (token == INVALID_HANDLE_VALUE)
        { printf("1\n"); exit(EXIT_FAILURE); } // error_exit;
    /* Inform Cygwin about the new impersonation token. */
    cygwin_set_impersonation_token (token);
    /* Cygwin is now able, to switch to that user context by setuid or seteuid calls. */

    printf("BEFORE  uid = %4u,  gid = %4u\n",  getuid(),  getgid() );
    printf("BEFORE euid = %4u, egid = %4u\n", geteuid(), getegid() );

    if (setgid (user_pwd_entry->pw_gid) != 0) // Use set[gu]id, NOT sete[gu]id
        { printf("3\n"); exit(EXIT_FAILURE); }
    if (setuid (user_pwd_entry->pw_uid) != 0) // Use set[gu]id, NOT sete[gu]id
        { printf("4\n"); exit(EXIT_FAILURE); }

    printf("AFTER   uid = %4u,  gid = %4u\n",  getuid(),  getgid() );
    printf("AFTER  euid = %4u, egid = %4u\n", geteuid(), getegid() );

    // uid (and euid) should be set to jvdwater at this point
    int retval = execl ("/bin/bash", "sh", (char  *) NULL);
    if (retval != 0)
        { perror("Surprise: execl() failed: "); } // SeAssignPrimaryTokenPrivilege missing?
    printf("retval = %d\n", retval);

    printf("Should not be reached ...\n");
}

====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple