summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@dtucker.net>2019-03-14 08:51:17 +1100
committerDarren Tucker <dtucker@dtucker.net>2019-03-14 08:51:17 +1100
commit825ab32f0d04a791e9d19d743c61ff8ed9b4d8e5 (patch)
treefd71122578ee7062523dccc06f58dee47e60aa35 /contrib
parenta212107bfdf4d3e870ab7a443e4d906e5b9578c3 (diff)
On Cygwin run sshd as SYSTEM where possible.
Seteuid now creates user token using S4U. We don't create a token from scratch anymore, so we don't need the "Create a process token" privilege. The service can run under SYSTEM again... ...unless Cygwin is running on Windows Vista or Windows 7 in the WOW64 32 bit emulation layer. It turns out that WOW64 on these systems didn't implement MsV1_0 S4U Logon so we still need the fallback to NtCreateToken for these systems. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Diffstat (limited to 'contrib')
-rw-r--r--contrib/cygwin/ssh-host-config29
1 files changed, 20 insertions, 9 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index cc36ea102..a8572e2ac 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -394,14 +394,24 @@ install_service() {
394 then 394 then
395 csih_get_cygenv "${cygwin_value}" 395 csih_get_cygenv "${cygwin_value}"
396 396
397 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 397 if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
398 then 398 then
399 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 399 # Enforce using privileged user on 64 bit Vista or W7 under WOW64
400 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 400 is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0)
401 csih_inform "sshd requires. You need to have or to create a privileged"
402 csih_inform "account. This script will help you do so."
403 echo
404 401
402 if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] )
403 then
404 csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7"
405 csih_inform "the SYSTEM account is not sufficient to setuid to a local"
406 csih_inform "user account. You need to have or to create a privileged"
407 csih_inform "account. This script will help you do so."
408 echo
409 csih_FORCE_PRIVILEGED_USER=yes
410 fi
411 fi
412
413 if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
414 then
405 [ "${opt_force}" = "yes" ] && opt_f=-f 415 [ "${opt_force}" = "yes" ] && opt_f=-f
406 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 416 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
407 csih_select_privileged_username ${opt_f} ${opt_u} sshd 417 csih_select_privileged_username ${opt_f} ${opt_u} sshd
@@ -412,11 +422,12 @@ install_service() {
412 csih_request "Do you want to proceed anyway?" || exit 1 422 csih_request "Do you want to proceed anyway?" || exit 1
413 let ++ret 423 let ++ret
414 fi 424 fi
425 # Never returns empty if NT or above
426 run_service_as=$(csih_service_should_run_as)
427 else
428 run_service_as="SYSTEM"
415 fi 429 fi
416 430
417 # Never returns empty if NT or above
418 run_service_as=$(csih_service_should_run_as)
419
420 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 431 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
421 then 432 then
422 password="${csih_PRIVILEGED_PASSWORD}" 433 password="${csih_PRIVILEGED_PASSWORD}"