[cvsnt] Switch to user failed due to configuration error
Tony Hoyle
tony.hoyle at march-hare.com
Sat Sep 20 01:04:43 BST 2008
Arthur Barrett wrote:
> It may be easier to bypass all this token stuff if we switched from
> using setuid.dll to use cyglsa64.dll and modify the calling codein
> trysuid() of cvsnt/Windows-NT/win32.cpp:
> http://cygwin.com/cgi-bin/cvsweb.cgi/src/winsup/lsaauth/?cvsroot=src
>
Interesting.. cygwin wrote one eventually then. Looks like sections of
it are based on setuid but they've missed out quite a bit for some
reason, eg. domain logins are completely absent. I'm not sure what we'd
gain by introducing a dependency on cygwin and using a less functional
library..
Note that you do not need create token privilege to do any of this. You
need 'act as part of the operating system', which is enforced by the
Win32 system to even call LogonUserEx and invoke LSA - without that
check any random user could instantly become any other user, including
administrator.
XP SP2 and later have an impersonation privilege too that might need to
be granted (aka. the right to actually switch users given an
impersonation token).
cvsnt does have a legacy API - NTCreateToken - that is redundant unless
it's run on NT4. That does need create token rights, but is pretty
irrelevant nowadays.. it's gone from evs and should probably be gone
from cvsnt by now (unless we still want NT4 compatibility).
Tony
More information about the cvsnt
mailing list