[Patch] Allow to disable root privileges with CYGWIN=noroot

Christian Franke Christian.Franke@t-online.de
Sat Oct 17 12:19:00 GMT 2009

Corinna Vinschen wrote:
> I have a self-hacked version of such a tool which you can download
> from here: http://cygwin.de/gettokinfo/
>   `gettokinfo' prints everything except for the list of user rights.
>   `gettokinfo foo' prints everything including the user rights.

Thanks. I added option -t to print the thread token, patch is attached.

Observation: When Cygwin spawns a process with CreateProcessAsUser(), 
the child process main thread has a token after startup.

$ ./gettokinfo -t
OpenThreadToken: 1008

$ ./cygdrop ./gettokinfo -t
Thread Token
Type: Impersonation
Impersonation Level: SecurityImpersonation

The problem is that some calls (from _cygtls?) to user.reimpersonate() 
appear between startup and uinfo_init(). uinfo_init() does not call 
RevertToSelf() after closing the inherited token.

Quick fix:

 @@ -155,7 +161,7 @@ uinfo_init ()
    cygheap->user.curr_token_is_restricted = false;
    cygheap->user.setuid_to_restricted = false;
    cygheap->user.set_saved_sid ();      /* Update the original sid */
 -  cygheap->user.reimpersonate ();
 +  cygheap->user.deimpersonate ();

Typo ?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: gettokinfo-t-flag.patch
Type: text/x-diff
Size: 1271 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-patches/attachments/20091017/70dde9d3/attachment.bin>

More information about the Cygwin-patches mailing list