libs/newlib-cygwin
libs
/
newlib-cygwin
mirror of git://sourceware.org/git/newlib-cygwin.git
4
0
Fork 0
Code Issues Projects Releases Wiki Activity

* ntsec.html: Add chapter for switching user context w/o password.

This commit is contained in:
Corinna Vinschen 2002-09-11 08:39:04 +00:00
parent 848791f9bc
commit 22f8000733
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
winsup/doc/ChangeLog
View File

@ -1,3 +1,7 @@
2002-09-11 Corinna Vinschen <corinna@vinschen.de>
* ntsec.html: Add chapter for switching user context w/o password.
2002-08-29 Christopher Faylor <cgf@redhat.com>
* how-api.texinfo: Remove a line from the CRLF discussion about lseek

24
winsup/doc/ntsec.sgml
View File

@ -411,7 +411,6 @@ for fun.</para>
<title>/etc/passwd</title>
<screen>
root:*:0:0:Administrators group,S-1-5-32-544::
Everyone:*:1:1:,S-1-1-0::
SYSTEM:*:18:18:,S-1-5-18:/home/system:/bin/bash
admin:*:500:513:,S-1-5-21-1844237615-436374069-1060284298-500:/home/Administrator:/bin/bash
corinna:*:100:0:Corinna Vinschen,S-1-5-21-1844237615-436374069-1060284298-1003:/home/corinna:/bin/tcsh
@ -423,7 +422,6 @@ Guest:*:501:546:,S-1-5-21-1844237615-436374069-1060284298-501:/home/Guest:/bin/b
<title>/etc/group</title>
<screen>
root:S-1-5-32-544:0:
everyone:S-1-1-0:1:
local:S-1-2-0:2:
network:S-1-5-2:3:
interactive:S-1-5-4:4:
@ -710,4 +708,26 @@ etc.
</sect2>
<sect2 id="ntsec-release1.3.3"><title>New since Cygwin release 1.3.3</title>
<para>
Since Cygwin release 1.3.3, applications having the
<command>Create a process level token</command> user right can switch user
context without giving a password by just calling the usual
<command>setuid</command>, <command>seteuid</command>,
<command>setgid</command> and <command>setegid</command> functions. This is
typically only given to the SYSTEM user. However, this now allows to switch
the user context using e. g. rhosts authentication or (when running sshd
under SYSTEM account as service) public key authentication.
</para>
<para>
An important restriction of this method is, that a process started under
SYSTEM account can't access network shares which require authentication.
This also applies to the subprocesses which switched the user context
without a password. People using network home drives are typically not
able to access it when trying to login using ssh or rsh without password.
</para>
</sect2>
</sect1>