[Patch] Allow to disable root privileges with CYGWIN=noroot
Christian Franke
Christian.Franke@t-online.de
Sat Oct 17 12:19:00 GMT 2009
Corinna Vinschen wrote:
> I have a self-hacked version of such a tool which you can download
> from here: http://cygwin.de/gettokinfo/
>
> `gettokinfo' prints everything except for the list of user rights.
> `gettokinfo foo' prints everything including the user rights.
>
>
Thanks. I added option -t to print the thread token, patch is attached.
Observation: When Cygwin spawns a process with CreateProcessAsUser(),
the child process main thread has a token after startup.
$ ./gettokinfo -t
OpenThreadToken: 1008
$ ./cygdrop ./gettokinfo -t
Thread Token
Type: Impersonation
Impersonation Level: SecurityImpersonation
...
The problem is that some calls (from _cygtls?) to user.reimpersonate()
appear between startup and uinfo_init(). uinfo_init() does not call
RevertToSelf() after closing the inherited token.
Quick fix:
@@ -155,7 +161,7 @@ uinfo_init ()
cygheap->user.curr_token_is_restricted = false;
cygheap->user.setuid_to_restricted = false;
cygheap->user.set_saved_sid (); /* Update the original sid */
- cygheap->user.reimpersonate ();
+ cygheap->user.deimpersonate ();
}
Typo ?
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gettokinfo-t-flag.patch
Type: text/x-diff
Size: 1271 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-patches/attachments/20091017/70dde9d3/attachment.bin>
More information about the Cygwin-patches
mailing list