Windows 2003

Pierre A. Humblet
Fri Jul 11 13:03:00 GMT 2003

Corinna Vinschen wrote:
> > Also a piece of good news:
> >
> >
> > Giving the Create Token privilege seems to work, at least on some
> > 2003 systems.
> I still don't trust that statement.  It's in pure contrast to the
> given proof that SeCreateTokenPrivilege isn't in the token.  I'm
> not convinced.  *If* he's right though, we would have to carefully
> examine the differences in token creation since 1.3.1...
OK, but he had created a new account with that privilege.

> I've just got it working with a non-SYSTEM user under which sshd is
> running.  The problem was a still missing user privilege.  The user
> starting sshd as service needs not only the "Create a token object"
> but also the "Replace a process level token" privilege, otherwise
> the CreateProcessAsUser fails.  After finding it it suddenly is clear
> why it didn't work.

Great, it looks like everything is OK. The privileged user
probably also needs the new 2003 privilege SeImpersonatePrivilege.
Can you check what happens when it's missing?

So we are back to my initial question: the privileged account won't
have uid == ROOT_UID (18). Shouldn't Cygwin provide a method to
determine if an account is privileged?
One possibility is to use cygwin_internal(). I would have it return
the current uid if it is privileged, and -1 if it isn't. That way
porters could define a macro ROOT_UID = cygwin_internal(CW_ISPRIV)
and keep the usual test getuid() == ROOT_UID.


More information about the Cygwin-developers mailing list