Christian Franke wrote:
Charles Wilson wrote:
I've no objections to incorporating this/these utilities into cygutils.
Take a look at
http://cygwin.com/cgi-bin/cvsweb.cgi/cygutils/HOW-TO-CONTRIBUTE?rev=1.11cvsroot=cygwin-apps
to see how best to integrate the tool(s) into cygutils.
I
On Oct 17 14:19, Christian Franke wrote:
Observation: When Cygwin spawns a process with CreateProcessAsUser(), the
child process main thread has a token after startup.
$ ./gettokinfo -t
OpenThreadToken: 1008
$ ./cygdrop ./gettokinfo -t
Thread Token
Type: Impersonation
Impersonation
On Oct 13 22:31, Christian Franke wrote:
Corinna Vinschen wrote:
Patch checked in.
Thanks.
Thanks for doing this. Would you have fun to provide a tool for the
net distro which uses this feature?
A first try is attached.
cygdrop command ... -- Drop admin group and most
Corinna Vinschen wrote:
Cool. Another interesting option could be to remove the domain admins
group as well, if the user is a domain user and, of course, removing
any single user right, similar to the capsh tool under SELinux.
Yes, makes sense.
I'm just not sure if that tool should be
On Oct 14 13:24, Christian Franke wrote:
Corinna Vinschen wrote:
Cool. Another interesting option could be to remove the domain admins
group as well, if the user is a domain user and, of course, removing
any single user right, similar to the capsh tool under SELinux.
Yes, makes
On Oct 11 22:45, Christian Franke wrote:
Corinna Vinschen wrote:
Thanks for the patch. You did check that the normal setuid/seteuid
cases still work, didn't you?
Yes.
Cool. I just tested it myself and it looks good.
What's wrong with:
for i in $(id -G);
do
[ $i -eq 544 ]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to Christian Franke on 10/11/2009 2:45 PM:
2009-10-11 Christian Franke fra...@computer.org
Corinna Vinschen cori...@vinschen.de
* include/sys/cygwin.h: Add new cygwin_getinfo_type
CW_SET_EXTERNAL_TOKEN.
Add
On Oct 13 06:01, Eric Blake wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to Christian Franke on 10/11/2009 2:45 PM:
2009-10-11 Christian Franke fra...@computer.org
Corinna Vinschen cori...@vinschen.de
* include/sys/cygwin.h: Add new
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to Corinna Vinschen on 10/13/2009 6:17 AM:
Not the first time this is done in this function. But generally,
shouldn't we follow the good practice of using va_end any time we used
va_arg, in case cygwin is ever ported to a system where
Corinna Vinschen wrote:
Patch checked in.
Thanks.
Thanks for doing this. Would you have fun to provide a tool for the
net distro which uses this feature?
A first try is attached.
cygdrop command ... -- Drop admin group and most privileges and run command.
cygdrop -b command ... --
Corinna Vinschen wrote:
Thanks for the patch. You did check that the normal setuid/seteuid
cases still work, didn't you?
Yes.
I would suggest to add another cygwin_internal() call to check if current
process is considered 'equivalent root'. This could be used e.g. by shells
to set the
On Oct 9 23:42, Christian Franke wrote:
Corinna Vinschen wrote:
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a
Corinna Vinschen wrote:
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a HANDLE and a BOOL value:
cygwin_internal
On Oct 6 22:15, Christian Franke wrote:
Corinna Vinschen wrote:
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a
Hi Christian,
On Sep 1 20:32, Corinna Vinschen wrote:
On Aug 30 21:38, Christian Franke wrote:
Corinna Vinschen wrote:
If you plan to run a Cygwin application with restricted rights from your
administrative account, the IMHO right way would be to start the Cygwin
application through
On Oct 4 14:30, Corinna Vinschen wrote:
[...]
Patch attached. For simplicity I just applied the patch to the w32api
winbase.h header file which defines CreateRestrictedToken and
IsTokenRestricted.
Thanks,
Corinna
* autoload.cc (IsTokenRestricted): Define.
*
Hi Corinna,
Corinna Vinschen wrote:
New patch attached. I made the test a bit more foolproof, hopefully.
And a restricted token does not require to load the user's registry hive,
nor should Cygwin try to enable the backup/restore permissions in the
new token. That spoils the idea of a
On Oct 4 21:08, Christian Franke wrote:
Hi Corinna,
[...]
Unfortunately this does not work for a typical use case: an admin process
creates a restricted token with standard user rights. The function
IsTokenRestricted() returns TRUE only if the token contains 'restricted
SIDs'.
On Oct 4 21:57, Corinna Vinschen wrote:
On Oct 4 21:08, Christian Franke wrote:
Hi Corinna,
[...]
Unfortunately this does not work for a typical use case: an admin process
creates a restricted token with standard user rights. The function
IsTokenRestricted() returns TRUE only if the
On Aug 30 21:38, Christian Franke wrote:
Corinna Vinschen wrote:
If you plan to run a Cygwin application with restricted rights from your
administrative account, the IMHO right way would be to start the Cygwin
application through another application which creates a *really*
restricted user
On Aug 29 23:33, Christian Franke wrote:
Corinna Vinschen wrote:
- On all older systems you shouldn't work as admin by default anyway,
especially not on Windows XP. And then, *if* you're running an admin
session, you usually want admin rights. What's the advantage of
faking you don't
Corinna Vinschen wrote:
If you plan to run a Cygwin application with restricted rights from your
administrative account, the IMHO right way would be to start the Cygwin
application through another application which creates a *really*
restricted user token using the Win32 function
For members of administrator group, Cygwin runs with root access rights.
Cygwin enables the Windows backup and restore privileges which are not
enabled by default.
This is IMO not desirable under all circumstances.
This patch adds a new flag to the Cygwin environment variable.
If
On Aug 29 16:04, Christian Franke wrote:
For members of administrator group, Cygwin runs with root access rights.
Cygwin enables the Windows backup and restore privileges which are not
enabled by default.
This is IMO not desirable under all circumstances.
This patch adds a new flag to
Corinna Vinschen wrote:
- On all older systems you shouldn't work as admin by default anyway,
especially not on Windows XP. And then, *if* you're running an admin
session, you usually want admin rights. What's the advantage of
faking you don't have these rights?
*If* running an
25 matches
Mail list logo
