This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Question about UAC and bash/cygwin


Hi Corinna,

On Thu, Aug 16, 2012 Corinna Vinschen wrote:
> On Aug 16 03:39, Lord Laraby wrote:
>> I wouldn't need *all* of her knowledge of course. Just a small amount
>> would improve my understanding immensely.
>>
>> > Probably the key point that you're stumbling over is the fact that
>> > when you're elevating your user's privileges, you're not changing
>> > from that user to 'root' but rather just enabling privileges the user
>> > is allowed to use.  'whoami' will not change.
>>
>> So then, privilege elevation would be the closest analogy (for WIndows
>> 7 etc.). After all, there is no *real* user named root on 99.9% of
>> boxes out there. An administrator gets the power to become root for a
>> time. Same with UAC, etc.
>>
>> So, you see where I'm coming from with my thinking, an Administrator
>> is adble to become Windows version of root. Same as on Linux. It's not
>> not really possible using cygwin.
>
> That has nothing to do with Cygwin.  It's a restriction of the
> CreateProcess system call.  If you want to elevate, you have to elevate
> the first process in the process chain, usually mintty.  All child
> processes will be elevated as well.
>
>
> Corinna

I know it's not a Cygwin possibility to 'escacalate' using
CreateProcess, as ShellExecute seems to be the primary (only?) way to
accomplish this. My, major emphasis is recognizing in the Cygwin dll
or startup code somewhere) that the user has full Administrator rights
and simply replacing his normal UID with 0 (or that of whomever root
seems to be by /etc/passwd). Internally (at cygwin.dll level) he/she
is still the same user, but the desired effects would be that bash and
others might change his prompt to '#' and that scripts can check for
admin rights and files he/she created would become owned by UID 0 (or
the Administrators group). In other words, by simple book-keeping
record that the user is running "seuid root". At a later time, if they
use drop-privileges (sp?) remove that setting.

It seems to my limited testing that that I can simply do 'bash
--login' as an elevated cmd prompt and keep my effective permissions.
In other words, while they can't be gained through CreateProcess, they
are not removed normally either,

Does this idea seem useless to people? Does anyone agree it would be
more unixy? The question is what changes are would be involved? I'm
willing to install the needed tools and source to investigate and see
if it's up my alley. Or help in any way I can if it gets any
concensus.

~~
Thanks,

LL

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]