cygdrop - new tool for cygutils

Christian Franke Christian.Franke@t-online.de
Sat Nov 21 15:43:00 GMT 2009 

The cygdrop tool allows to start a program with a restricted access 
token. It uses the new restricted token feature of Cygwin >= 1.7.0-63.

It is an enhanced version of:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00098.html
Inclusion into cygutils was already discussed here:
http://sourceware.org/ml/cygwin-patches/2009-q4/msg00143.html

Some issues are still open (man page, long options).

Patch sent to Chuck Wilson as requested in HOW-TO-CONTRIBUTE.

Changelog:

2009-11-21  Christian Franke  <franke at computer.org>

	* src/cygdrop: New directory.
	* src/cygdrop/cygdrop.cc: New file.
	* Makefile.am: Add program cygdrop.
	* AUTHORS: Add Christian Franke for cygdrop.
	* PROGLIST: Add cygdrop.
	* README: Add cygdrop.


Examples:

# Start bash without admin groups and privileges
$ cygdrop /bin/bash

# Same
$ cygdrop -l -d -m /bin/bash

# Same
$ cygdrop -g 544 -g S-1-5-21-.\*-512 -P changenotify /bin/bash

# Same, but keep the backup privilege
$ cygdrop -l -d -m -P backup /bin/bash

# Help text
$ cygdrop
cygdrop is part of cygutils version X.Y

Execute COMMAND with a restricted access token

Usage: cygdrop [OPTIONS] COMMAND [ARG ...]

Group options
  -l        Disable local administrator group [default]
            (same as '-g S-1-5-32-544').
  -d        Disable domain administrator group [default]
            (same as '-g S-1-5-21-.\*-512').
  -g GROUP  Disable group(s) GROUP.
  -G GROUP  Disable all groups except group(s) GROUP.
  -r GROUP  Add group(s) GROUP to restricted SIDs.

Privilege options
  -m        Delete most privileges [default]
            (same as '-P SeChangeNotifyPrivilege').
  -p PRIV   Delete privilege PRIV.
  -P PRIV   Delete all privilege except privilege PRIV.

General options
  -h        Print this help.
  -v        Verbose output, lists groups and privileges changed.
            Repeat to list all groups and privileges.

If no group or privilege option is specified, '-l -d -m' is the default.
Options with GROUP and PRIV parameter may be specified more than once.
GROUP may be specified as a SID, a regular expression matching SIDs
(must start with 'S-'), a numeric group id, or a group name.
PRIV name match is not case sensitive, prefix 'Se' and suffix 'Privilege'
may be omitted.

-- 
Christian Franke

More information about the Cygwin-apps mailing list