From: Shaddy Baddah <lithium-cygwin@shaddybaddah.name>
To: cygwin-apps@cygwin.com
Subject: Re: cannot run setup64.exe without admin privileges (even if renamed foo.exe)
Date: Tue, 15 Oct 2013 10:21:00 -0000 [thread overview]
Message-ID: <525D1731.5080801@shaddybaddah.name> (raw)
In-Reply-To: <20131015090805.GC19383@calimero.vinschen.de>
[-- Attachment #1: Type: text/plain, Size: 2417 bytes --]
Hi Corinna,
On 15/10/13 20:08, Corinna Vinschen wrote:
> [Redirected to cygwin-apps]
>
>
> On Sep 23 13:57, Buchbinder, Barry (NIH/NIAID) [E] wrote:
>> Larry Hall (Cygwin) sent the following at Sunday, September 22, 2013 9:42 PM
>>> No, "All Users" is also required to set up services (like sshd, crond,
>>> etc.) to work for all users (i.e. switch user context). This is the
>>> recommended way to install so that these subsequent facilities can be
>>> used with a minimum of fuss or trouble.
>>
>> Thank you for the explanation.
>>
>> Still, I'd like to urge the setup-meisters to keep those of us without
>> admin rights in mind. If we have to compile setup ourselves, many of
>> us will be staying with 32 bit for a long time.
>
> I just had a weird idea how we *might* accomplish this for 32 and 64 bit
> in the same way.
>
> Assuming setup would get an "asInvoker" manifest, so it runs with the
> privileges of the current user. First thing it would check its user
> token. There are three cases:
>
> - When started by a non-admin user, the user token would contain no
> trace of the administrators group in the user token group list.
> In this case, setup would just run along as usual for the current user.
>
> - When started elevated (with "Run as administrator...", for instance),
> the user token group list would contain the administrators group,
> enabled. So setup knows it has admin rights anyway and just runs along
> as in the non-admin user case. So, in fact, these two cases are just
> one case.
>
> - Now, when started by an admin user, but not elevated, the group list
> would contain the administrators group, too, but with the "Use for
> deny only" flag set. If setup recognizes this flag, rather than running
> along, it calls ShellExecute on itself, with the "runas" flag set.
> So it elevates a copy of itself and just exits. The elevated copy
> then runs as usual.
>
> The only downside with this concept, as far as I can see, is, somebody
> would have to implement it...
>
> Does that sound feasible?
I apologise... I've been sitting on an almost-there implementation of
this for almost two weeks, waiting for a moment to polish it properly
for patch submission.
I can't elaborate on the pros and cons of the patch at the moment, as
I am accessing my desktop remotely. But I will follow-up later tonight
with more details.
--
Regards,
Shaddy
[-- Attachment #2: setup-sans-admin.patch.gz --]
[-- Type: application/x-gzip, Size: 3292 bytes --]
next prev parent reply other threads:[~2013-10-15 10:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <6CF2FC1279D0844C9357664DC5A08BA215F56A@MLBXV06.nih.gov>
[not found] ` <523F9C4F.6010109@cygwin.com>
[not found] ` <6CF2FC1279D0844C9357664DC5A08BA215F9C7@MLBXV06.nih.gov>
2013-10-15 9:08 ` Corinna Vinschen
2013-10-15 10:21 ` Shaddy Baddah [this message]
2013-10-15 12:22 ` Corinna Vinschen
2013-10-15 15:18 ` Shaddy Baddah
2013-10-15 16:00 ` Corinna Vinschen
2013-11-04 11:59 ` Corinna Vinschen
2013-11-06 11:18 ` Shaddy Baddah
2013-11-06 13:21 ` Shaddy Baddah
2013-11-06 13:43 ` Corinna Vinschen
2013-11-06 16:12 ` Christopher Faylor
2013-11-06 16:50 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525D1731.5080801@shaddybaddah.name \
--to=lithium-cygwin@shaddybaddah.name \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).