diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2019-03-14 08:51:17 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-03-14 08:51:17 +1100 |
| commit | 825ab32f0d04a791e9d19d743c61ff8ed9b4d8e5 (patch) | |
| tree | fd71122578ee7062523dccc06f58dee47e60aa35 /contrib | |
| parent | a212107bfdf4d3e870ab7a443e4d906e5b9578c3 (diff) | |
On Cygwin run sshd as SYSTEM where possible.
Seteuid now creates user token using S4U. We don't create a token
from scratch anymore, so we don't need the "Create a process token"
privilege. The service can run under SYSTEM again...
...unless Cygwin is running on Windows Vista or Windows 7 in the
WOW64 32 bit emulation layer. It turns out that WOW64 on these systems
didn't implement MsV1_0 S4U Logon so we still need the fallback
to NtCreateToken for these systems.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/cygwin/ssh-host-config | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index cc36ea102..a8572e2ac 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
| @@ -394,14 +394,24 @@ install_service() { | |||
| 394 | then | 394 | then |
| 395 | csih_get_cygenv "${cygwin_value}" | 395 | csih_get_cygenv "${cygwin_value}" |
| 396 | 396 | ||
| 397 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | 397 | if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] ) |
| 398 | then | 398 | then |
| 399 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | 399 | # Enforce using privileged user on 64 bit Vista or W7 under WOW64 |
| 400 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | 400 | is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0) |
| 401 | csih_inform "sshd requires. You need to have or to create a privileged" | ||
| 402 | csih_inform "account. This script will help you do so." | ||
| 403 | echo | ||
| 404 | 401 | ||
| 402 | if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] ) | ||
| 403 | then | ||
| 404 | csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7" | ||
| 405 | csih_inform "the SYSTEM account is not sufficient to setuid to a local" | ||
| 406 | csih_inform "user account. You need to have or to create a privileged" | ||
| 407 | csih_inform "account. This script will help you do so." | ||
| 408 | echo | ||
| 409 | csih_FORCE_PRIVILEGED_USER=yes | ||
| 410 | fi | ||
| 411 | fi | ||
| 412 | |||
| 413 | if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | ||
| 414 | then | ||
| 405 | [ "${opt_force}" = "yes" ] && opt_f=-f | 415 | [ "${opt_force}" = "yes" ] && opt_f=-f |
| 406 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" | 416 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" |
| 407 | csih_select_privileged_username ${opt_f} ${opt_u} sshd | 417 | csih_select_privileged_username ${opt_f} ${opt_u} sshd |
| @@ -412,11 +422,12 @@ install_service() { | |||
| 412 | csih_request "Do you want to proceed anyway?" || exit 1 | 422 | csih_request "Do you want to proceed anyway?" || exit 1 |
| 413 | let ++ret | 423 | let ++ret |
| 414 | fi | 424 | fi |
| 425 | # Never returns empty if NT or above | ||
| 426 | run_service_as=$(csih_service_should_run_as) | ||
| 427 | else | ||
| 428 | run_service_as="SYSTEM" | ||
| 415 | fi | 429 | fi |
| 416 | 430 | ||
| 417 | # Never returns empty if NT or above | ||
| 418 | run_service_as=$(csih_service_should_run_as) | ||
| 419 | |||
| 420 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | 431 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
| 421 | then | 432 | then |
| 422 | password="${csih_PRIVILEGED_PASSWORD}" | 433 | password="${csih_PRIVILEGED_PASSWORD}" |