This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
cygdrop - new tool for cygutils
- From: Christian Franke <Christian dot Franke at t-online dot de>
- To: cygwin-apps at cygwin dot com
- Date: Sat, 21 Nov 2009 16:17:56 +0100
- Subject: cygdrop - new tool for cygutils
The cygdrop tool allows to start a program with a restricted access
token. It uses the new restricted token feature of Cygwin >= 1.7.0-63.
It is an enhanced version of:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00098.html
Inclusion into cygutils was already discussed here:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00143.html
Some issues are still open (man page, long options).
Patch sent to Chuck Wilson as requested in HOW-TO-CONTRIBUTE.
Changelog:
2009-11-21 Christian Franke <franke at computer.org>
* src/cygdrop: New directory.
* src/cygdrop/cygdrop.cc: New file.
* Makefile.am: Add program cygdrop.
* AUTHORS: Add Christian Franke for cygdrop.
* PROGLIST: Add cygdrop.
* README: Add cygdrop.
Examples:
# Start bash without admin groups and privileges
$ cygdrop /bin/bash
# Same
$ cygdrop -l -d -m /bin/bash
# Same
$ cygdrop -g 544 -g S-1-5-21-.\*-512 -P changenotify /bin/bash
# Same, but keep the backup privilege
$ cygdrop -l -d -m -P backup /bin/bash
# Help text
$ cygdrop
cygdrop is part of cygutils version X.Y
Execute COMMAND with a restricted access token
Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
Group options
-l Disable local administrator group [default]
(same as '-g S-1-5-32-544').
-d Disable domain administrator group [default]
(same as '-g S-1-5-21-.\*-512').
-g GROUP Disable group(s) GROUP.
-G GROUP Disable all groups except group(s) GROUP.
-r GROUP Add group(s) GROUP to restricted SIDs.
Privilege options
-m Delete most privileges [default]
(same as '-P SeChangeNotifyPrivilege').
-p PRIV Delete privilege PRIV.
-P PRIV Delete all privilege except privilege PRIV.
General options
-h Print this help.
-v Verbose output, lists groups and privileges changed.
Repeat to list all groups and privileges.
If no group or privilege option is specified, '-l -d -m' is the default.
Options with GROUP and PRIV parameter may be specified more than once.
GROUP may be specified as a SID, a regular expression matching SIDs
(must start with 'S-'), a numeric group id, or a group name.
PRIV name match is not case sensitive, prefix 'Se' and suffix 'Privilege'
may be omitted.
--
Christian Franke