This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

cygdrop - new tool for cygutils

From: Christian Franke <Christian dot Franke at t-online dot de>
To: cygwin-apps at cygwin dot com
Date: Sat, 21 Nov 2009 16:17:56 +0100
Subject: cygdrop - new tool for cygutils

The cygdrop tool allows to start a program with a restricted access token. It uses the new restricted token feature of Cygwin >= 1.7.0-63.

It is an enhanced version of:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00098.html
Inclusion into cygutils was already discussed here:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00143.html

Some issues are still open (man page, long options).

Patch sent to Chuck Wilson as requested in HOW-TO-CONTRIBUTE.

Changelog:

2009-11-21 Christian Franke <franke at computer.org>

	* src/cygdrop: New directory.
	* src/cygdrop/cygdrop.cc: New file.
	* Makefile.am: Add program cygdrop.
	* AUTHORS: Add Christian Franke for cygdrop.
	* PROGLIST: Add cygdrop.
	* README: Add cygdrop.

Examples:

# Start bash without admin groups and privileges
$ cygdrop /bin/bash

# Same
$ cygdrop -l -d -m /bin/bash

# Same
$ cygdrop -g 544 -g S-1-5-21-.\*-512 -P changenotify /bin/bash

# Same, but keep the backup privilege
$ cygdrop -l -d -m -P backup /bin/bash

# Help text
$ cygdrop
cygdrop is part of cygutils version X.Y

Execute COMMAND with a restricted access token

Usage: cygdrop [OPTIONS] COMMAND [ARG ...]

Group options
 -l        Disable local administrator group [default]
           (same as '-g S-1-5-32-544').
 -d        Disable domain administrator group [default]
           (same as '-g S-1-5-21-.\*-512').
 -g GROUP  Disable group(s) GROUP.
 -G GROUP  Disable all groups except group(s) GROUP.
 -r GROUP  Add group(s) GROUP to restricted SIDs.

Privilege options
 -m        Delete most privileges [default]
           (same as '-P SeChangeNotifyPrivilege').
 -p PRIV   Delete privilege PRIV.
 -P PRIV   Delete all privilege except privilege PRIV.

General options
 -h        Print this help.
 -v        Verbose output, lists groups and privileges changed.
           Repeat to list all groups and privileges.

If no group or privilege option is specified, '-l -d -m' is the default.
Options with GROUP and PRIV parameter may be specified more than once.
GROUP may be specified as a SID, a regular expression matching SIDs
(must start with 'S-'), a numeric group id, or a group name.
PRIV name match is not case sensitive, prefix 'Se' and suffix 'Privilege'
may be omitted.

--
Christian Franke

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]