Christian Franke wrote:
Charles Wilson wrote:
I've no objections to incorporating this/these utilities into cygutils.
Take a look at
http://cygwin.com/cgi-bin/cvsweb.cgi/cygutils/HOW-TO-CONTRIBUTE?rev=1.11&cvsroot=cygwin-apps
to see how best to integrate the tool(s) into cygutils.
I wil
Corinna Vinschen wrote:
> On Oct 14 13:24, Christian Franke wrote:
>> Corinna Vinschen wrote:
>>> Cool. Another interesting option could be to remove the domain admins
>>> group as well, if the user is a domain user and, of course, removing
>>> any single user right, similar to the "capsh" tool un
On Oct 17 14:19, Christian Franke wrote:
> Observation: When Cygwin spawns a process with CreateProcessAsUser(), the
> child process main thread has a token after startup.
>
> $ ./gettokinfo -t
> OpenThreadToken: 1008
>
> $ ./cygdrop ./gettokinfo -t
> Thread Token
> Type: Impersonation
> Impersona
Corinna Vinschen wrote:
I have a self-hacked version of such a tool which you can download
from here: http://cygwin.de/gettokinfo/
`gettokinfo' prints everything except for the list of user rights.
`gettokinfo foo' prints everything including the user rights.
Thanks. I added option -t
On Oct 14 13:24, Christian Franke wrote:
> Corinna Vinschen wrote:
> >
> > Cool. Another interesting option could be to remove the domain admins
> > group as well, if the user is a domain user and, of course, removing
> > any single user right, similar to the "capsh" tool under SELinux.
> >
>
>
Corinna Vinschen wrote:
>
> Cool. Another interesting option could be to remove the domain admins
> group as well, if the user is a domain user and, of course, removing
> any single user right, similar to the "capsh" tool under SELinux.
>
Yes, makes sense.
> I'm just not sure if that tool sho
On Oct 13 22:31, Christian Franke wrote:
> Corinna Vinschen wrote:
>> Patch checked in.
>>
>
> Thanks.
>
>> Thanks for doing this. Would you have fun to provide a tool for the
>> net distro which uses this feature?
>>
>>
>
> A first try is attached.
>
> cygdrop command ... -- Drop admin grou
Corinna Vinschen wrote:
Patch checked in.
Thanks.
Thanks for doing this. Would you have fun to provide a tool for the
net distro which uses this feature?
A first try is attached.
cygdrop command ... -- Drop admin group and most privileges and run command.
cygdrop -b command ... --
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to Corinna Vinschen on 10/13/2009 6:17 AM:
>> Not the first time this is done in this function. But generally,
>> shouldn't we follow the good practice of using va_end any time we used
>> va_arg, in case cygwin is ever ported to a system whe
On Oct 13 06:01, Eric Blake wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> According to Christian Franke on 10/11/2009 2:45 PM:
> > 2009-10-11 Christian Franke
> >Corinna Vinschen
> >
> > * include/sys/cygwin.h: Add new cygwin_getinfo_type
> > CW_SET_EXTERNA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
According to Christian Franke on 10/11/2009 2:45 PM:
> 2009-10-11 Christian Franke
>Corinna Vinschen
>
> * include/sys/cygwin.h: Add new cygwin_getinfo_type
> CW_SET_EXTERNAL_TOKEN.
> Add new enum CW_TOKEN_IMPERSONATION, C
On Oct 11 22:45, Christian Franke wrote:
> Corinna Vinschen wrote:
>> Thanks for the patch. You did check that the normal setuid/seteuid
>> cases still work, didn't you?
>>
>>
>
> Yes.
Cool. I just tested it myself and it looks good.
>> What's wrong with:
>>
>> for i in $(id -G);
>> do
>
Corinna Vinschen wrote:
Thanks for the patch. You did check that the normal setuid/seteuid
cases still work, didn't you?
Yes.
I would suggest to add another cygwin_internal() call to check if current
process is considered 'equivalent root'. This could be used e.g. by shells
to set the r
On Oct 9 23:42, Christian Franke wrote:
> Corinna Vinschen wrote:
>> ...and maybe it's time to create a cygwin_internal call which replaces
>> cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
>> in the long run. So, instead of the above we could have this call
>> taking
Corinna Vinschen wrote:
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a HANDLE and a BOOL value:
cygwin_internal (CW_SE
On Oct 6 22:15, Christian Franke wrote:
> Corinna Vinschen wrote:
>> ...and maybe it's time to create a cygwin_internal call which replaces
>> cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
>> in the long run. So, instead of the above we could have this call
>> taking
Corinna Vinschen wrote:
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a HANDLE and a BOOL value:
cygwin_internal (CW_SE
On Oct 4 21:57, Corinna Vinschen wrote:
> On Oct 4 21:08, Christian Franke wrote:
> > Hi Corinna,
> >[...]
> > Unfortunately this does not work for a typical use case: an admin process
> > creates a restricted token with standard user rights. The function
> > IsTokenRestricted() returns TRUE on
On Oct 4 21:08, Christian Franke wrote:
> Hi Corinna,
>[...]
> Unfortunately this does not work for a typical use case: an admin process
> creates a restricted token with standard user rights. The function
> IsTokenRestricted() returns TRUE only if the token contains 'restricted
> SIDs'.
> (htt
Hi Corinna,
Corinna Vinschen wrote:
New patch attached. I made the test a bit more foolproof, hopefully.
And a restricted token does not require to load the user's registry hive,
nor should Cygwin try to enable the backup/restore permissions in the
new token. That spoils the idea of a restrict
On Oct 4 14:30, Corinna Vinschen wrote:
> [...]
> Patch attached. For simplicity I just applied the patch to the w32api
> winbase.h header file which defines CreateRestrictedToken and
> IsTokenRestricted.
>
>
> Thanks,
> Corinna
>
>
> * autoload.cc (IsTokenRestricted): Define.
> *
Hi Christian,
On Sep 1 20:32, Corinna Vinschen wrote:
> On Aug 30 21:38, Christian Franke wrote:
> > Corinna Vinschen wrote:
> >> If you plan to run a Cygwin application with restricted rights from your
> >> administrative account, the IMHO right way would be to start the Cygwin
> >> application
On Aug 30 21:38, Christian Franke wrote:
> Corinna Vinschen wrote:
>> If you plan to run a Cygwin application with restricted rights from your
>> administrative account, the IMHO right way would be to start the Cygwin
>> application through another application which creates a *really*
>> restricted
Corinna Vinschen wrote:
If you plan to run a Cygwin application with restricted rights from your
administrative account, the IMHO right way would be to start the Cygwin
application through another application which creates a *really*
restricted user token using the Win32 function CreateRestricted
On Aug 29 23:33, Christian Franke wrote:
> Corinna Vinschen wrote:
>> - On all older systems you shouldn't work as admin by default anyway,
>> especially not on Windows XP. And then, *if* you're running an admin
>> session, you usually want admin rights. What's the advantage of
>> faking y
Corinna Vinschen wrote:
- On all older systems you shouldn't work as admin by default anyway,
especially not on Windows XP. And then, *if* you're running an admin
session, you usually want admin rights. What's the advantage of
faking you don't have these rights?
*If* running an ad
On Aug 29 16:04, Christian Franke wrote:
> For members of administrator group, Cygwin runs with root access rights.
> Cygwin enables the Windows backup and restore privileges which are not
> enabled by default.
>
> This is IMO not desirable under all circumstances.
>
> This patch adds a new fla
For members of administrator group, Cygwin runs with root access rights.
Cygwin enables the Windows backup and restore privileges which are not
enabled by default.
This is IMO not desirable under all circumstances.
This patch adds a new flag to the Cygwin environment variable.
If 'CYGWIN=noroo
28 matches
Mail list logo
