[cvsnt] Re: cygwin ssh server and author being set to SYSTEM
Pavel Goran
pvgoran.ml at macondo.ru
Thu Jan 8 06:09:50 GMT 2004
Hello Tony,
Wednesday, January 7, 2004, 11:26:31 PM, you wrote:
>>The authentication module could just check if the calling process has
>>enough priveleges to use NtCreateToken() and impersonate an user via
>>the obtained access token - that is, if the process can make use of
>>the currently used (in CygWin) "broken" impersonation. If this is the
>>case, the authentication module could safely proceed with doing
>>whatever is needed for "normal", non-broken impersonation.
>>
TH> You can't do that with a subauth module - you get no information about
TH> the calling process or privileges of said process.
There must be a possibility for some kind of communication between a
process and the module (for example, a process can create a named pipe
and pass its name to the package as a password). Provided that
communication is possible, the package can create a named pipe (and
thus become the "named pipe server"), instruct the process to open it
(which thus becomes the "named pipe client"), impersonate the process'
user by calling ImpersonateNamedPipeClient(), and actually try
NtCreateToken() (and maybe other calls).
Pavel Goran
More information about the cvsnt
mailing list