cannot run setup64.exe without admin privileges (even if renamed foo.exe)
Shaddy Baddah
lithium-cygwin@shaddybaddah.name
Tue Oct 15 10:21:00 GMT 2013
Hi Corinna,
On 15/10/13 20:08, Corinna Vinschen wrote:
> [Redirected to cygwin-apps]
>
>
> On Sep 23 13:57, Buchbinder, Barry (NIH/NIAID) [E] wrote:
>> Larry Hall (Cygwin) sent the following at Sunday, September 22, 2013 9:42 PM
>>> No, "All Users" is also required to set up services (like sshd, crond,
>>> etc.) to work for all users (i.e. switch user context). This is the
>>> recommended way to install so that these subsequent facilities can be
>>> used with a minimum of fuss or trouble.
>>
>> Thank you for the explanation.
>>
>> Still, I'd like to urge the setup-meisters to keep those of us without
>> admin rights in mind. If we have to compile setup ourselves, many of
>> us will be staying with 32 bit for a long time.
>
> I just had a weird idea how we *might* accomplish this for 32 and 64 bit
> in the same way.
>
> Assuming setup would get an "asInvoker" manifest, so it runs with the
> privileges of the current user. First thing it would check its user
> token. There are three cases:
>
> - When started by a non-admin user, the user token would contain no
> trace of the administrators group in the user token group list.
> In this case, setup would just run along as usual for the current user.
>
> - When started elevated (with "Run as administrator...", for instance),
> the user token group list would contain the administrators group,
> enabled. So setup knows it has admin rights anyway and just runs along
> as in the non-admin user case. So, in fact, these two cases are just
> one case.
>
> - Now, when started by an admin user, but not elevated, the group list
> would contain the administrators group, too, but with the "Use for
> deny only" flag set. If setup recognizes this flag, rather than running
> along, it calls ShellExecute on itself, with the "runas" flag set.
> So it elevates a copy of itself and just exits. The elevated copy
> then runs as usual.
>
> The only downside with this concept, as far as I can see, is, somebody
> would have to implement it...
>
> Does that sound feasible?
I apologise... I've been sitting on an almost-there implementation of
this for almost two weeks, waiting for a moment to polish it properly
for patch submission.
I can't elaborate on the pros and cons of the patch at the moment, as
I am accessing my desktop remotely. But I will follow-up later tonight
with more details.
--
Regards,
Shaddy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup-sans-admin.patch.gz
Type: application/x-gzip
Size: 3292 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20131015/deaa0a75/attachment.bin>
More information about the Cygwin-apps
mailing list