[cvsnt] Re: cygwin ssh server and author being set to SYSTEM
Tony Hoyle
tmh at nodomain.org
Tue Dec 16 00:37:29 GMT 2003
Hartmut Honisch wrote:
> I had once implemented an alpha release of such a package for cygwin, but
> they thought cygwin's way of handling impersonation was sufficient, the use
> of a subauthentication package would raise too many issues to justify its
> benefits.
The whole security thing for example...
If you allow users to login without passwords in that way, once that
package is on the system it's a potential wide open security hole...
*any* user that can execute LogonUser/LsaLogonUser with the correct
parameters (and with an opensource package that wouldn't be too hard to
work out - I could probably do it with a closed source one in a couple
of hours) will be able to become administrator.
I looked at it for a bit myself and realised quickly that there's no way
to stop a process raising its privilege level that way, so it wasn't
worth the risk.
Tony
More information about the cvsnt
mailing list