On Oct 4 21:57, Corinna Vinschen wrote: > On Oct 4 21:08, Christian Franke wrote: > > Hi Corinna, > >[...] > > Unfortunately this does not work for a typical use case: an admin process > > creates a restricted token with standard user rights. The function > > IsTokenRestricted() returns TRUE only if the token contains 'restricted > > SIDs'. > > (http://msdn.microsoft.com/en-us/library/aa379137(VS.85).aspx) > > Bummer. > > > There is apparently no function to check whether a token is a result of > > CreateRestrictedToken() or SaferComputeTokenFromLevel(). > > > > Would'nt it be easier to add a new function > > 'cygwin_set_restricted_token(token)' instead of the test of the token type? > > The idea was to avoid another non-standard system call. Maybe you're > right, but we should create another cygwin_internal call instead, like, > say, > > cygwin_internal (CW_SET_RESTRICTED_TOKEN, token_handle);
...and maybe it's time to create a cygwin_internal call which replaces cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token in the long run. So, instead of the above we could have this call taking a HANDLE and a BOOL value: cygwin_internal (CW_SET_EXTERNAL_TOKEN, token_handle, restricted?); Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
