Seteuid now creates user token using S4U. We don't create a token from scratch anymore, so we don't need the "Create a process token" privilege. The service can run under SYSTEM again. --- contrib/cygwin/ssh-host-config | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index cc36ea102f42..2e15d02fbbc1 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -394,14 +394,8 @@ install_service() { then csih_get_cygenv "${cygwin_value}" - if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) then - csih_inform "On Windows Server 2003, Windows Vista, and above, the" - csih_inform "SYSTEM account cannot setuid to other users -- a capability" - csih_inform "sshd requires. You need to have or to create a privileged" - csih_inform "account. This script will help you do so." - echo - [ "${opt_force}" = "yes" ] && opt_f=-f [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" csih_select_privileged_username ${opt_f} ${opt_u} sshd @@ -412,11 +406,12 @@ install_service() { csih_request "Do you want to proceed anyway?" || exit 1 let ++ret fi + # Never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + else + run_service_as="SYSTEM" fi - # Never returns empty if NT or above - run_service_as=$(csih_service_should_run_as) - if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] then password="${csih_PRIVILEGED_PASSWORD}" -- 2.20.1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev