This is the mail archive of the
cygwin-developers@cygwin.com
mailing list for the Cygwin project.
RE: New subdirectory in winsup
- To: cygdev <cygwin-developers at cygwin dot com>
- Subject: RE: New subdirectory in winsup
- From: "Parker, Ron" <rdparker at butlermfg dot com>
- Date: Mon, 7 May 2001 11:56:02 -0500
> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!
Am I understanding properly that this privilege must be added to the user's
log in account? If so, it seems to me that this would possibly introduce
some further security issues.
A few years ago I created an "su" program that I use for various purposes on
Windows NT/2000. It has a service that is run under an account that has
that privilege and a few others. The service is an OLE server and can be
called from any application with a user's name and password as well as the
name of a program to be executed. The service then impersonates the
requested user and executes the application. This avoids giving the user's
account a privilege that IMO is dangerous.
I would recommend incorporating such functionality into a daemon like what I
understand Egor was working on.
I have one question. Has anyone figured out a way in Windows to allow root
to "su username" without knowing the users password?