This is the mail archive of the
cygwin-patches
mailing list for the Cygwin project.
Re: [Patch] Allow to disable root privileges with CYGWIN=noroot
On Oct 4 21:57, Corinna Vinschen wrote:
> On Oct 4 21:08, Christian Franke wrote:
> > Hi Corinna,
> >[...]
> > Unfortunately this does not work for a typical use case: an admin process
> > creates a restricted token with standard user rights. The function
> > IsTokenRestricted() returns TRUE only if the token contains 'restricted
> > SIDs'.
> > (http://msdn.microsoft.com/en-us/library/aa379137(VS.85).aspx)
>
> Bummer.
>
> > There is apparently no function to check whether a token is a result of
> > CreateRestrictedToken() or SaferComputeTokenFromLevel().
> >
> > Would'nt it be easier to add a new function
> > 'cygwin_set_restricted_token(token)' instead of the test of the token type?
>
> The idea was to avoid another non-standard system call. Maybe you're
> right, but we should create another cygwin_internal call instead, like,
> say,
>
> cygwin_internal (CW_SET_RESTRICTED_TOKEN, token_handle);
...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run. So, instead of the above we could have this call
taking a HANDLE and a BOOL value:
cygwin_internal (CW_SET_EXTERNAL_TOKEN, token_handle, restricted?);
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat