This is the mail archive of the cygwin-patches mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [Patch] Allow to disable root privileges with CYGWIN=noroot


On Oct  4 21:57, Corinna Vinschen wrote:
> On Oct  4 21:08, Christian Franke wrote:
> > Hi Corinna,
> >[...]
> > Unfortunately this does not work for a typical use case: an admin process 
> > creates a restricted token with standard user rights. The function 
> > IsTokenRestricted() returns TRUE only if the token contains 'restricted 
> > SIDs'.
> > (http://msdn.microsoft.com/en-us/library/aa379137(VS.85).aspx)
> 
> Bummer.
> 
> > There is apparently no function to check whether a token is a result of 
> > CreateRestrictedToken() or SaferComputeTokenFromLevel().
> >
> > Would'nt it be easier to add a new function 
> > 'cygwin_set_restricted_token(token)' instead of the test of the token type?
> 
> The idea was to avoid another non-standard system call.  Maybe you're
> right, but we should create another cygwin_internal call instead, like,
> say,
> 
>   cygwin_internal (CW_SET_RESTRICTED_TOKEN, token_handle);

...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run.  So, instead of the above we could have this call
taking a HANDLE and a BOOL value:

  cygwin_internal (CW_SET_EXTERNAL_TOKEN, token_handle, restricted?);


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]