[Patch] Allow to disable root privileges with CYGWIN=noroot

Corinna Vinschen corinna-cygwin@cygwin.com
Sun Oct 4 20:08:00 GMT 2009

On Oct  4 21:57, Corinna Vinschen wrote:
> On Oct  4 21:08, Christian Franke wrote:
> > Hi Corinna,
> >[...]
> > Unfortunately this does not work for a typical use case: an admin process 
> > creates a restricted token with standard user rights. The function 
> > IsTokenRestricted() returns TRUE only if the token contains 'restricted 
> > SIDs'.
> > (http://msdn.microsoft.com/en-us/library/aa379137(VS.85).aspx)
> Bummer.
> > There is apparently no function to check whether a token is a result of 
> > CreateRestrictedToken() or SaferComputeTokenFromLevel().
> >
> > Would'nt it be easier to add a new function 
> > 'cygwin_set_restricted_token(token)' instead of the test of the token type?
> The idea was to avoid another non-standard system call.  Maybe you're
> right, but we should create another cygwin_internal call instead, like,
> say,
>   cygwin_internal (CW_SET_RESTRICTED_TOKEN, token_handle);

...and maybe it's time to create a cygwin_internal call which replaces
cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
in the long run.  So, instead of the above we could have this call
taking a HANDLE and a BOOL value:

  cygwin_internal (CW_SET_EXTERNAL_TOKEN, token_handle, restricted?);


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-patches mailing list