[PATCH v3] Cygwin: rel 3.0 drops requirement for privileged non-SYSTEM account

[Corinna Vinschen]

Seteuid now creates user token using S4U.  We don't create a token
from scratch anymore, so we don't need the "Create a process token"
privilege.  The service can run under SYSTEM again...

...unless Cygwin is running on Windows Vista or Windows 7 in the
WOW64 32 bit emulation layer.  It turns out that WOW64 on these systems
didn't implement MsV1_0 S4U Logon so we still need the fallback
to NtCreateToken for these systems.

Signed-off-by: Corinna Vinschen <vinschen at redhat.com>
---
 contrib/cygwin/ssh-host-config | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index cc36ea102f42..a8572e2ac879 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -394,14 +394,24 @@ install_service() {
     then
       csih_get_cygenv "${cygwin_value}"
 
-      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+      if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
       then
-	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
-	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
-	csih_inform "sshd requires.  You need to have or to create a privileged"
-	csih_inform "account.  This script will help you do so."
-	echo
+	# Enforce using privileged user on 64 bit Vista or W7 under WOW64
+	is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0)
 
+	if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] )
+	then
+	  csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7"
+	  csih_inform "the SYSTEM account is not sufficient to setuid to a local"
+	  csih_inform "user account.  You need to have or to create a privileged"
+	  csih_inform "account.  This script will help you do so."
+	  echo
+	  csih_FORCE_PRIVILEGED_USER=yes
+	fi
+      fi
+
+      if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+      then
 	[ "${opt_force}" = "yes" ] && opt_f=-f
 	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
 	csih_select_privileged_username ${opt_f} ${opt_u} sshd
@@ -412,11 +422,12 @@ install_service() {
 	  csih_request "Do you want to proceed anyway?" || exit 1
 	  let ++ret
 	fi
+	# Never returns empty if NT or above
+	run_service_as=$(csih_service_should_run_as)
+      else
+	run_service_as="SYSTEM"
       fi
 
-      # Never returns empty if NT or above
-      run_service_as=$(csih_service_should_run_as)
-
       if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
       then
 	password="${csih_PRIVILEGED_PASSWORD}"
-- 
2.20.1