From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3265 invoked by alias); 15 Oct 2013 09:08:09 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 3250 invoked by uid 89); 15 Oct 2013 09:08:08 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_40 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 15 Oct 2013 09:08:08 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id E5C5652021B; Tue, 15 Oct 2013 11:08:05 +0200 (CEST) Date: Tue, 15 Oct 2013 09:08:00 -0000 From: Corinna Vinschen To: cygwin-apps@cygwin.com Subject: Re: cannot run setup64.exe without admin privileges (even if renamed foo.exe) Message-ID: <20131015090805.GC19383@calimero.vinschen.de> Reply-To: cygwin-apps@cygwin.com Mail-Followup-To: cygwin-apps@cygwin.com References: <6CF2FC1279D0844C9357664DC5A08BA215F56A@MLBXV06.nih.gov> <523F9C4F.6010109@cygwin.com> <6CF2FC1279D0844C9357664DC5A08BA215F9C7@MLBXV06.nih.gov> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mvpLiMfbWzRoNl4x" Content-Disposition: inline In-Reply-To: <6CF2FC1279D0844C9357664DC5A08BA215F9C7@MLBXV06.nih.gov> User-Agent: Mutt/1.5.21 (2010-09-15) X-SW-Source: 2013-10/txt/msg00129.txt.bz2 --mvpLiMfbWzRoNl4x Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2100 [Redirected to cygwin-apps] On Sep 23 13:57, Buchbinder, Barry (NIH/NIAID) [E] wrote: > Larry Hall (Cygwin) sent the following at Sunday, September 22, 2013 9:42= PM > >No, "All Users" is also required to set up services (like sshd, crond, > >etc.) to work for all users (i.e. switch user context). This is the > >recommended way to install so that these subsequent facilities can be > >used with a minimum of fuss or trouble. >=20 > Thank you for the explanation. >=20 > Still, I'd like to urge the setup-meisters to keep those of us without > admin rights in mind. If we have to compile setup ourselves, many of > us will be staying with 32 bit for a long time. I just had a weird idea how we *might* accomplish this for 32 and 64 bit in the same way. Assuming setup would get an "asInvoker" manifest, so it runs with the privileges of the current user. First thing it would check its user token. There are three cases: - When started by a non-admin user, the user token would contain no trace of the administrators group in the user token group list. In this case, setup would just run along as usual for the current user. - When started elevated (with "Run as administrator...", for instance), the user token group list would contain the administrators group, enabled. So setup knows it has admin rights anyway and just runs along as in the non-admin user case. So, in fact, these two cases are just one case. - Now, when started by an admin user, but not elevated, the group list would contain the administrators group, too, but with the "Use for deny only" flag set. If setup recognizes this flag, rather than running along, it calls ShellExecute on itself, with the "runas" flag set. So it elevates a copy of itself and just exits. The elevated copy then runs as usual. The only downside with this concept, as far as I can see, is, somebody would have to implement it... Does that sound feasible? Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --mvpLiMfbWzRoNl4x Content-Type: application/pgp-signature Content-length: 836 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSXQX1AAoJEPU2Bp2uRE+gumMQAKPPmrCL4CQdk9QjO6+f49Wp eItd1By/bbG4NeCTa7ZcS/ccjEJr+BrcJXqc9uYtf4Qnqgeg9NP9J/p/G6T8r7L9 IeqepAxG851I3GXhhgP13K1z9cbvpEU6lupI1zvORS2bY8fXxN9jzNboDJ3B9X3T GNq2FZoTqNwLjtDE4oxCWBdfKx2btDioIzngWgk5VpByvVyt6xd0Xlpn+WYCqwz7 5ELgqzBMThjL1+sdm6O96RIlzzAjadrFPWGMHZW8U82Si9kRZTmQzMt6lO51U/Pp HIQxyZizmzUwVllKRYKifeNqH0JA9+RmBH0vZ4PJRrbYDGHP7CYqiEJzB8scrxNr 24Vcf8qd2lg2XbxPk/7ksYt9vDNtBdjo0rF29OoZg9aiUoeqsv/K9TjMWkKeq7Lb e4jbf4c5E3nUuG8H+9Mt0sYmUDFNNiiHegNeQVrZlOH6VQg9YhL6oMnNkjH3FPxJ z8NDB1+l3urTbfvotv9/hz2AklcBA4jIWTeL2jWhw63vEL9bq6/IuxEL3e3l//U5 wjrxvx9ya7UTYD+vYM8wIlrB3Nt8fF4Y5L9t2j7ZzkY/B8aZP4TeCGbkkd+VQ5AS gniIZrckFzrCUP8Q7Uarxa+ojcQbXpDjjr+NcSeepNVP5pJm4LlV6n5gisCwxMBK 3DTVzVQ76ebc+Oiq5shp =jL48 -----END PGP SIGNATURE----- --mvpLiMfbWzRoNl4x--