This is the mail archive of the
cygwin-patches
mailing list for the Cygwin project.
Re: [Patch] Allow to disable root privileges with CYGWIN=noroot
- From: Christian Franke <Christian dot Franke at t-online dot de>
- To: cygwin-patches at cygwin dot com
- Date: Sun, 04 Oct 2009 21:08:09 +0200
- Subject: Re: [Patch] Allow to disable root privileges with CYGWIN=noroot
- References: <4A993580.4060604@t-online.de> <20090829192050.GA32405@calimero.vinschen.de> <4A999EC2.2070801@t-online.de> <20090830090314.GB2648@calimero.vinschen.de> <4A9AD529.3060107@t-online.de> <20090901183209.GA14650@calimero.vinschen.de> <20091004123006.GF4563@calimero.vinschen.de> <20091004125455.GG4563@calimero.vinschen.de>
Hi Corinna,
Corinna Vinschen wrote:
New patch attached. I made the test a bit more foolproof, hopefully.
And a restricted token does not require to load the user's registry hive,
nor should Cygwin try to enable the backup/restore permissions in the
new token. That spoils the idea of a restricted token a bit...
...
Thanks!
+ bool request_restricted_uid_switch =
+ uid == myself->uid
+ && ( (cygheap->user.external_token != NO_IMPERSONATION
+ && IsTokenRestricted (cygheap->user.external_token))
+ || (cygheap->user.external_token == NO_IMPERSONATION
+ && cygheap->user.issetuid ()
+ && IsTokenRestricted (cygheap->user.curr_primary_token)));
Unfortunately this does not work for a typical use case: an admin
process creates a restricted token with standard user rights. The
function IsTokenRestricted() returns TRUE only if the token contains
'restricted SIDs'.
(http://msdn.microsoft.com/en-us/library/aa379137(VS.85).aspx)
Test with tokens returned by SaferComputeTokenFromLevel():
(http://msdn.microsoft.com/en-us/library/ms972827.aspx)
SAFER_LEVELID_NORMALUSER: IsTokenRestricted()=FALSE
SAFER_LEVELID_CONSTRAINED: IsTokenRestricted()=TRUE
SAFER_LEVELID_UNTRUSTED: IsTokenRestricted()=TRUE
BTW: Only NORMALUSER is works for Cygwin. Using DropMyRights.exe to
start of a Cygwin process with a CONTRAINED token results in:
5 [sig] true 3788 C:\cygwin-1.7\bin\true.exe:
*** fatal error - couldn't create signal pipe, Win32 error 5
There is apparently no function to check whether a token is a result of
CreateRestrictedToken() or SaferComputeTokenFromLevel().
Would'nt it be easier to add a new function
'cygwin_set_restricted_token(token)' instead of the test of the token type?
Christian