On Cygwin run sshd as SYSTEM where possible.
Seteuid now creates user token using S4U. We don't create a token from scratch anymore, so we don't need the "Create a process token" privilege. The service can run under SYSTEM again... ...unless Cygwin is running on Windows Vista or Windows 7 in the WOW64 32 bit emulation layer. It turns out that WOW64 on these systems didn't implement MsV1_0 S4U Logon so we still need the fallback to NtCreateToken for these systems. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
This commit is contained in:
parent
a212107bfd
commit
825ab32f0d
|
@ -394,14 +394,24 @@ install_service() {
|
||||||
then
|
then
|
||||||
csih_get_cygenv "${cygwin_value}"
|
csih_get_cygenv "${cygwin_value}"
|
||||||
|
|
||||||
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
|
if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
|
||||||
then
|
then
|
||||||
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
|
# Enforce using privileged user on 64 bit Vista or W7 under WOW64
|
||||||
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
|
is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0)
|
||||||
csih_inform "sshd requires. You need to have or to create a privileged"
|
|
||||||
csih_inform "account. This script will help you do so."
|
|
||||||
echo
|
|
||||||
|
|
||||||
|
if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] )
|
||||||
|
then
|
||||||
|
csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7"
|
||||||
|
csih_inform "the SYSTEM account is not sufficient to setuid to a local"
|
||||||
|
csih_inform "user account. You need to have or to create a privileged"
|
||||||
|
csih_inform "account. This script will help you do so."
|
||||||
|
echo
|
||||||
|
csih_FORCE_PRIVILEGED_USER=yes
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
|
||||||
|
then
|
||||||
[ "${opt_force}" = "yes" ] && opt_f=-f
|
[ "${opt_force}" = "yes" ] && opt_f=-f
|
||||||
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
|
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
|
||||||
csih_select_privileged_username ${opt_f} ${opt_u} sshd
|
csih_select_privileged_username ${opt_f} ${opt_u} sshd
|
||||||
|
@ -412,11 +422,12 @@ install_service() {
|
||||||
csih_request "Do you want to proceed anyway?" || exit 1
|
csih_request "Do you want to proceed anyway?" || exit 1
|
||||||
let ++ret
|
let ++ret
|
||||||
fi
|
fi
|
||||||
|
# Never returns empty if NT or above
|
||||||
|
run_service_as=$(csih_service_should_run_as)
|
||||||
|
else
|
||||||
|
run_service_as="SYSTEM"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Never returns empty if NT or above
|
|
||||||
run_service_as=$(csih_service_should_run_as)
|
|
||||||
|
|
||||||
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
|
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
|
||||||
then
|
then
|
||||||
password="${csih_PRIVILEGED_PASSWORD}"
|
password="${csih_PRIVILEGED_PASSWORD}"
|
||||||
|
|
Loading…
Reference in New Issue